咬定青山不放松,立根原在破岩中。千磨万击还坚劲,任尔东西南北风

© 竹意 | Powered by LOFTER

【转载】CVE-2014-9557 SmartCMS Multiple XSS (Cross-Sit

来自:醉雨他乡游

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerability

 

 


 

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple XSS Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9557
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

 

 


Advisory Details:

 

 


 

(1) Vendor & Product Description

 

Vendor: Smartwebsites

 

Product & Version: SmartCMS v.2

 

Vendor URL & Download:

http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en

 

Product Description: “SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

 


 

 

 

(2) Vulnerability Details:

SmartCMS v.2 has a security vulnerability. It can be exploited by XSS attacks.

 

(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.

 

(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

 

 



 


 

 


 

 

 

References:

http://www.tetraph.com/security/cves/cve-2014-9557-smartcms-multiple-xss-cross-site-scripting-security-vulnerability/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9557

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9557

http://packetstormsecurity.com/files/130076/SmartCMS-2-Cross-Site-Scripting.html

http://en.hackdig.com/?13971.htm

http://cxsecurity.com/issue/WLB-2015010130

https://hackertopic.wordpress.com/2015/02/11/cve-2014-9557-smartcms-multiple-xss-cross-site-scripting-security-vulnerability/

http://cve.scap.org.cn/CVE-2014-9557.html

http://securitypost.tumblr.com/post/110696783722/itinfotech-cve-2014-9557-smartcms-multiple-xss

http://exploitarchive.com/smartcms-2-cross-site-scripting/

http://webtechhut.blogspot.com/2015/02/cve-2014-9557-smartcms-multiple-xss.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1502

http://blog.163.com/greensun_2006/blog/static/11122112201511105129826/

http://itsecurity.lofter.com/post/1cfbf9e7_5c3a4a8

 
评论
 
回到顶部