oss-sec mailing list archives
Symphony CMS 2.6.3 - Multiple Reflected Cross-site Scripting Vulnerability
From: CSW Research Lab <disclose () cybersecurityworks com>
Date: Tue, 22 Dec 2015 10:49:39 +0000
Hi all can you please assign CVE for this issue ? Description *************** Symphony CMS 2.6.3 is prone to Cross-site scripting vulnerability because it fails to sanitize user-supplied input in default email settings.An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user of the affected site. Proof of Concept URL *************************** [+] http://192.168.56.101/symphony/symphony/system/preferences/ Vulnerable Parameter ************************** [+] email_sendmail[from_name] [+] email_sendmail[from_address] [+] email_smtp[from_name] [+] email_smtp[from_address] [+] email_smtp[host] [+] email_smtp[port] [+] it_image_manipulation[trusted_external_sites] [+] maintenance_mode[ip_whitelist]
Current thread:
- Symphony CMS 2.6.3 - Multiple Reflected Cross-site Scripting Vulnerability CSW Research Lab (Dec 22)