| शीर्षक | ClipperCMS 1.3.3 'Site name' Stored Cross Site Scripting |
|---|
| विवरण | Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name by doing an authenticated POST HTTP request to ClipperCMS/manager/processors/save_settings.processor.php.
If the data is not sanitized upon input (Site name), these are going to return arbitrary web script or HTML that can be rendered by the browser because of having <?php echo $site_name; ?>, hence, the "Affected Components" are as follow:
-/manager/actions/mutate_settings.dynamic.php
-/manager/actions/import_site.static.php
-/manager/actions/mutate_content.dynamic.php
-/manager/frames/1.php
-/manager/frames/tree.php
-/manager/frames/menu.php
This vulnerability has been assigned with CVE-2018-11332 from mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11332 |
|---|
| स्रोत | ⚠️ https://github.com/ClipperCMS/ClipperCMS/issues/483 |
|---|
| उपयोगकर्ता | nathunandwani (UID 862) |
|---|
| सबमिशन | 23/05/2018 07:58 PM (8 साल पहले) |
|---|
| संयम | 24/05/2018 04:51 PM (21 hours later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 118146 [ClipperCMS 1.3.3 Site name mutate_settings.dynamic.php क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|