[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request - BigTree CMS 4.2.13 - Cross-Site Scripting (XSS)
From:       haojun hou <haojunhou () gmail ! com>
Date:       2016-11-24 7:18:02
Message-ID: F0516C22-C2D6-4C52-8AD1-86F33F6A2513 () gmail ! com
[Download RAW message or body]


Hi:
BigTree CMS 4.2.13 - Cross-Site Scripting (XSS) 

Procuct: BigTree CMS

Vendor: BigTree CMS (https://www.bigtreecms.org/)

Vunlerable Version: 4.2.13 and probably prior

Tested Version: 4.2.13

Author: Haojun Hou in ADLab of Venustech

 

Advisory Details:

Haojun Hou in ADLab of Venustech discovered a Cross-Site Scripting (XSS) in BigTree CMS, which \
can be exploited to add,modify or delete information in application`s database and gain \
complete control over the application.

 

The vulnerability exists due to insufficientfiltration of user-supplied data in ¡°id¡± HTTP GET \
parameter passed to ¡°core/admin/adjax/dashboard/check-module-integrity.php¡± url. An attacker \
could execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to see a  pop-up \
messagebox:

http://localhost/BigTreeCMS/core/admin/adjax/dashboard/check-module-integrity.php?id=¡°><script>alert(1);</script>< \
<http://localhost/BigTreeCMS/core/admin/adjax/dashboard/check-module-integrity.php?id=>¡±

 

Could you please help me assign a CVE for this issue?



[prev in list] [next in list] [prev in thread] [next in thread]