[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201511020616.tA26G4DE016990@sf01web1.securityfocus.com>
Date: Mon, 2 Nov 2015 06:16:04 GMT
From: GalaxyCVEcollector@...il.com
To: bugtraq@...urityfocus.com
Subject: Accentis Content Resource Management System - XSS
# Vulnerability type: Stored Cross Site Scripting
# Vendor: http://www.accentis.com.au/
# Product: Accentis Content Resource Management System
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan
# CVE ID: CVE-2015-3425
# PROOF OF CONCEPT (XSS)
Accentis Content Resource Management System before October 2015 patch contains Stored Cross-site scripting (XSS) vulnerability which allows authenticated users to inject arbitrary javascript via the following parameter.
# VULNERABLE PARAMETER:
- ctl00$cph_content$_uig_formState
# SAMPLE PAYLOAD
- <script>alert(“XSS”)</script>
# TIMELINE
- 15/04/2015: Vulnerability found
- 09/07/2015: Vendor informed
- 09/07/2015: Vendor responded and acknowledged
- 28/10/2015: Vendor fixed the issue
- 02/11/2015: Public disclosure
Powered by blists - more mailing lists