gpEasy CMS 1.6.2 – ‘editing_files.php’ Cross-Site Scripting

Exploit Database
116 阅读

作者： High-Tech Bridge SA

日期： 2010-05-18
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/34031/

source: https://www.securityfocus.com/bid/40330/info

gpEasy CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to gpEasy CMS 1.6.3 are vulnerable

<input type="hidden" name="gpcontent" value='text"><script>alert(document.cookie)</script>'>

</form>

document.myfrm.submit();

</script>

last Exploits
gpEasy CMS 1.6.2 – ‘editing_files.php’ Cross-Site Scripting的更多信息

HRSALE 1.1.8 – Cross-Site Request Forgery (Add Admin)：
Woltlab Burning Board 2.3.4 – File Disclosure：
Victor CMS 1.0 – ‘comment_author’ Persistent Cross-Site Scripting：
SOCA Access Control System 180612 – Information Disclosure：
Devika v1 – Path Traversal via ‘snapshot_path’：
SoftXMLCMS – Arbitrary File Upload：
CouchCMS 2.2.1 – Server-Side Request Forgery：
Joomla! Component com_ca – SQL Injection：