Sunday 9 November 2014

X3 CMS XSS And CSRF "CVE-2014-8771 , CVE-2014-8772"

Hello all friends , today i am disclosing the issue which i found in X3CMS ( 0.5.1 & )

So Here Is The X3 CMS XSS And CSRF

There were two vulnerabilities ,

    1.) CSRF
    2.) Reflected XSS [POST]

There were a xss in X3CMS ( 0.5.1 & ) on "search" parameter which only exploitable by an authenticated user ( Post XSS ) ,

Not possible to exploit these same bug in remotely , You can see the POC Below

There was a CSRF vulnerability in the form submission in most controllers used in the admin area. This could be an issue if you open the admin area to unknown users , I will update the CSRF POC later

Because due to Public disclosure by vendor  i am also announcing the details , Let the all users update their Framework then i will update this post with CSRF POC

Thanks To Paolo Certo For Quick Response And Fast Fixing

Reporting Time Line

Reported To Vendor - 2 Nov 2014

Acknowledge By Vendor -  3 Nov 2014

Affected Version - 0.5.1 &

Severity – High

X3 CMS Public Advisory -

CVE ID - CVE-2014-8771. , CVE-2014-8772

Full Public Disclosure -  To Be Updated

No comments:

Post a Comment