lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 12 Dec 2015 20:24:41 +0530
From: CSW Research Lab <disclose@...ersecurityworks.com>
To: fulldisclosure@...lists.org
Subject: [FD] Bedita 3.6.0 – Cross-Site Scripting Vulnerability

================================================================
Bedita 3.6.0 – Cross-Site Scripting Vulnerability
================================================================

Information
**********************

Vulnerability Type : Cross Site Scripting Vulnerability
Vulnerable Version : 3.6.0
Severity: Medium
Author – Arjun Basnet
CVE-ID: N/A
Homepage: http://www.bedita.com/

Description
***********************

Bedita is prone to URI based Cross-site scripting vulnerability because it
fails to sanitize user-supplied input. An attacker may leverage this issue
to execute arbitrary script code
in the browser of an unsuspecting user of the affected site.

Proof of Concept URL
***************************

[+] http://localhost
<http://localhost/ocportal/data/emoticons.php?field_name=post&keep_session=1>
/bedita/beditaapp/pages/showObjects/2/0/0/leafs"><script>alert(1);</script>

Affected URL
*****************

[+] http://localhost
<http://localhost/ocportal/data/emoticons.php?field_name=post&keep_session=1>
/bedita/beditaapp/pages/showObjects/2/0/0/leafs

Payload
=======================

"><script>alert(1);</script>

Advisory Information:
================================================
Bedita CMS XSS Vulnerability


Severity Level:
=========================================================
Medium

Description:
==========================================================

Vulnerable Product:

[+] Bedita 3.6.0

Advisory Timeline
************************

14-Oct-2015- Reported
14-Oct-2015- Vendor Response
11-Dec-2015- Vendor Released Fixed version
12-Dec-2015- Public disclosed

Fixed Version:
*****************

[+]  Bedita 3.7.0 (http://www.bedita.com/home-be/be-download-2)


Reference
*****************

[+] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)


Credits & Authors
************************
Arjun Basnet from Cyber Security Works Pvt. Ltd. (
http://cybersecurityworks.com)

-- 
----------
Cheers !!!

Team CSW Research Lab <http://www.cybersecurityworks.com>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists