Xoops CMS 2.5.7.1 Cross Site Scripting

Posted on 25 April 2015

Hi Team, #Affected Vendor: http://www.xoops.org/ #Date: 24/04/2015 #Discovered by: Joel Vadodil Varghese #Type of vulnerability: Persistent XSS #Tested on: Windows 8.1 #Product: Xoops CMS #Version: 2.5.7.1 #Tested Link: http://localhost/Xoops/htdocs/modules/system/admin.php?fct=preferences&op=show&confcat_id=3 Description: Xoops CMS is a free open source content management systems (CMS), written in PHP. It uses a modular architecture allowing users to customize, update and theme their websites. Xoops CMS is vulnerable to stored xss vulnerability in spite of the Protector Center Module. The parameter "footer" is the vulnerable parameter which will lead to its compromise. #Proof of Concept (PoC): %22%3E%3Cimg+src%3D%22blah.jpg%22+onerror%3D%22alert%28%27pwned%27%29%22%2F%3E -- Regards, *Joel V*

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Backdoor.Win32.Dumador.c MVID-2024-0679 Buffer Overflow
Centreon 23.10-1.el8 SQL Injection
Stock Management System 1.0 SQL Injection
Online Fire Reporting System 1.2 SQL Injection
OpenClinic GA 5.247.01 Path Traversal

Last 20