Squiz CMS – Multiple Cross-Site Scripting / XML External Entity Injection Vulnerabilities

• Exploit Database
• 121 阅读

• 作者： Nadeem Salim
  日期： 2012-06-14
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/37416/
• 1 2 3 4 5 6 7 8 9 10

  source: https://www.securityfocus.com/bid/54049/info   Squiz CMS is prone to multiple cross-site scripting vulnerabilities and an XML external entity injection vulnerability because it fails to properly sanitize user-supplied input.   Attackers may exploit these issues to execute arbitrary code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, to perform XML based attacks (including local file disclosure), TCP port scans, and a denial of service (DoS) condition; other attacks are also possible.   Squiz CMS 4.6.3 is vulnerable; other versions may also be affected.   http://www.example.com/_admin/?SQ_BACKEND_PAGE=main&backend_section=am&am_section=edit_asset"><script>alert(document.cookie)</script>&assetid=73&sq_asset_path=%2C1%2C73&sq_link_path=%2C0%2C74&asset_ei_screen=details [XSS]