Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFkM3a+tCC+PgnDtQ8HEvz3CNp_7C4Tmr8NxomgpznGpBKnkUw@mail.gmail.com>
Date: Thu, 22 Sep 2016 11:37:40 +0800
From: 王畅 <fyth.cnss@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: XSS Vulnerability in Exponent CMS 2.3.9

Hi, I reported a Cross Site Scripting vulnerability to the
ExponentCMS team on a few days ago:
vulnerability:


/framework/modules/file/connector/uploader.php

line 85-86:
```

$funcNum = $_GET['CKEditorFuncNum'] ;
echo "<script type='text/javascript'>window.parent.CKEDITOR.tools.callFunction(".$funcNum.",
'".$url."', '".$message."');</script>";

```

"$_GET['CKEditorFuncNum']"  was printed out without any sanitization.


PoC:http://exponentcms.org/framework/modules/file/connector/uploader.php?CKEditorFuncNum=[removed]<svg/onload=alert(1)>


And Now, this vulnerability have been
fixed.https://exponentcms.lighthouseapp.com/projects/61783/changesets/3f06b07755f35b96eff05ed3e3e1df2b907cade1

https://github.com/exponentcms/exponent-cms/commit/3f06b07755f35b96eff05ed3e3e1df2b907cade1


This issue was reported by Wang Chang of silence.com.cn Inc. and I would like
to request a CVE for this issue (if not done so).

Thank you.
---------------------------------http://www.silence.com.cn
wangchang#silence.com.cn
PKAV Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.