Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-4195

Publish Date: 27 Jun 2014

Source

                							

                ZeroCMS v1.0 Cross-Site Scripting Vulnerability

Vendor: Another Awesome Stuff
Product web page: http://www.aas9.in/zerocms
Affected version: 1.0
Severity: Medium
CVE: CVE-2014-4195 
Date: 20/06/2014

Discovered by: Filippos Mastrogiannis (@filipposmastro)

ZeroCMS is a very simple Content Management System Built using PHP and MySQL.

Description: ZeroCMS v1.0 is vulnerable to Cross-Site Scripting (XSS)

A cross site scripting vulnerability identified in the variable: "article_id" of 
the "zero_view_article.php" file which allows an attacker to execute arbitrary 
script code in the browser of an unsuspecting user in the context of the affected site.

This allows several different attack opportunities, mostly hijacking the
current session of the user or changing the look of the page by changing
the HTML on the fly to steal the user's credentials. This happens
because the user input is interpreted as HTML/JavaScript by the browser.

Proof Of Concept:

In order to trigger the vulnerability and to display an alert box with the session 
cookie use the following standard payload:

http://localhost/zerocms/zero_view_article.php?article_id=&lt;script&gt;alert(document.cookie);&lt;/script&gt;






<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ZeroCMS 1.0 Cross Site Scripting

Vulmon Search

About

Products

Connect