oss-sec mailing list archives
CVE request - BigTree CMS 4.2.13 Extension Form Builder Multiple Cross-Site Scripting (XSS)
From: haojun hou <haojunhou () gmail com>
Date: Thu, 24 Nov 2016 15:22:28 +0800
Hi: BigTree CMS 4.2.13 Extension Form Builder- Multiple Cross-Site Scripting (XSS) Procuct: BigTree CMS Extension Form Builder Vendor: BigTree CMS Developer https://www.bigtreecms.org/extensions/details/com.fastspot.form-builder Vunlerable Version: 1.1 Tested Version: 1.1 Author: Haojun Hou in ADLab of Venustech Advisory Details: Haojun Hou in ADLab of Venustech discovered Multiple Cross-Site Scripting (XSS) in BigTree CMS Extension “Form Builder”, which can be exploited to add,modify or delete information in application`s database and gain complete control over the application. The vulnerability exists due to insufficientfiltration of user-supplied data in multiple HTTP POST parameters passed to “site/index.php/../../extensions/com.fastspot.form-builder/ajax/redraw-field.php” url. An attacker could execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation examples below uses the "alert()" JavaScript function to see a pop-up messagebox: (1)POST id= "?><script>alert("hacked by ADLab");</script><?" (2)POST name= "?><script>alert("hacked by ADLab");</script><?" (3)POST type= "?><script>alert("hacked by ADLab");</script><?" Could you please help me assign a CVE for this issue?
Current thread:
- CVE request - BigTree CMS 4.2.13 Extension Form Builder Multiple Cross-Site Scripting (XSS) haojun hou (Nov 24)