[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE request - BigTree CMS 4.2.13 Extension Form Builder Multiple Cross-Site Scripting
From: haojun hou <haojunhou () gmail ! com>
Date: 2016-11-24 7:22:28
Message-ID: 6921209F-B318-4448-B0C1-55798888CDE3 () gmail ! com
[Download RAW message or body]
Hi:
BigTree CMS 4.2.13 Extension Form Builder- Multiple Cross-Site Scripting (XSS)
Procuct: BigTree CMS Extension Form Builder
Vendor: BigTree CMS Developer
https://www.bigtreecms.org/extensions/details/com.fastspot.form-builder
Vunlerable Version: 1.1
Tested Version: 1.1
Author: Haojun Hou in ADLab of Venustech
Advisory Details:
Haojun Hou in ADLab of Venustech discovered Multiple Cross-Site Scripting (XSS) in BigTree CMS \
Extension ¡°Form Builder¡±, which can be exploited to add,modify or delete information in \
application`s database and gain complete control over the application.
The vulnerability exists due to insufficientfiltration of user-supplied data in multiple HTTP \
POST parameters passed to \
¡°site/index.php/../../extensions/com.fastspot.form-builder/ajax/redraw-field.php¡± url. An \
attacker could execute arbitrary HTML and script code in browser in context of the vulnerable \
website.
The exploitation examples below uses the "alert()" JavaScript function to see a pop-up \
messagebox:
(1)POST id= "?><script>alert("hacked by ADLab");</script><?"
(2)POST name= "?><script>alert("hacked by ADLab");</script><?"
(3)POST type= "?><script>alert("hacked by ADLab");</script><?"
Could you please help me assign a CVE for this issue?
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic