lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Nov 2015 06:16:04 GMT From: GalaxyCVEcollector@...il.com To: bugtraq@...urityfocus.com Subject: Accentis Content Resource Management System - XSS # Vulnerability type: Stored Cross Site Scripting # Vendor: http://www.accentis.com.au/ # Product: Accentis Content Resource Management System # Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan # CVE ID: CVE-2015-3425 # PROOF OF CONCEPT (XSS) Accentis Content Resource Management System before October 2015 patch contains Stored Cross-site scripting (XSS) vulnerability which allows authenticated users to inject arbitrary javascript via the following parameter. # VULNERABLE PARAMETER: - ctl00$cph_content$_uig_formState # SAMPLE PAYLOAD - <script>alert(“XSS”)</script> # TIMELINE - 15/04/2015: Vulnerability found - 09/07/2015: Vendor informed - 09/07/2015: Vendor responded and acknowledged - 28/10/2015: Vendor fixed the issue - 02/11/2015: Public disclosure
Powered by blists - more mailing lists