lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 12 Jan 2015 06:05:49 +0100
From: Steffen Rösemann <>
Subject: [FD] Reflecting XSS vulnerability in CMS Croogo v.2.2.0

Advisory: Reflecting XSS vulnerability in CMS Croogo v.2.2.0
Advisory ID: SROEADV-2015-02
Author: Steffen Rösemann
Affected Software: CMS Croogo v.2.20
Vendor URL:
Vendor Status: solved

Vulnerability Description:

The filemanager functionality in the administrative backend of CMS Croogo
v. 2.2.0 is prone to reflecting XSS attacks.

Technical Details:

The filemanager of a common Croogo installation is located here:


By appending arbitrary HTML- and/or JavaScriptcode to existing filenames,
it gets rendered in the generated webpage. It seems not to be working by
appending code to existing directory names.


in filemanager functionality of CMS Croogo 2.2.0")</script><!--


Update to Croogo v.2.2.1.

Disclosure Timeline:

03-Jan-2015 – found the vulnerability
03-Jan-2015 - informed the developers by opening an issue on Github (see
03-Jan-2015 – release date of this security advisory [without technical
12-Jan-2015 - fix by vendor (v. 2.2.1)
12-Jan-2015 - release date of this security advisory
12-Jan-2015 - send to lists


Vulnerability found and advisory written by Steffen Rösemann.



Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists