Hello all friends , today i am disclosing the issue which i found in X3CMS ( 0.5.1 & 0.5.1.1 )
So Here Is The X3 CMS XSS And CSRF
There were two vulnerabilities ,
- 1.) CSRF
- 2.) Reflected XSS [POST]
Not possible to exploit these same bug in remotely , You can see the POC Below
There was a CSRF vulnerability in the form submission in most controllers used in the admin area. This could be an issue if you open the admin area to unknown users , I will update the CSRF POC later
Because due to Public disclosure by vendor i am also announcing the details , Let the all users update their Framework then i will update this post with CSRF POC
Thanks To Paolo Certo For Quick Response And Fast Fixing
Reporting Time Line
Reported To Vendor - 2 Nov 2014
Acknowledge By Vendor - 3 Nov 2014
Affected Version - 0.5.1 & 0.5.1.1
Severity – High
X3 CMS Public Advisory - http://www.x3cms.net/en/news/article/8bb9a4f84d956653b4daa19ee7c529fa/x3_cms_0.5.2
CVE ID - CVE-2014-8771. , CVE-2014-8772
Full Public Disclosure - To Be Updated
No comments:
Post a Comment