Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-4710 cve-2014-4710

Publish Date: 28 Jul 2014

Source

                							

                ######################
# Exploit Title: Persistent ZeroCMS Cross-Site Scripting Vulnerability
 
# Discovered by: Mayuresh Dani
 
# Vendor Homepage: http://www.aas9.in/zerocms/
 
# Software Link: https://github.com/pcx1256/zerocms/archive/master.zip
 
# Version: 1.0?
 
# Date: 2014-07-25
 
# Tested on: Windows 7 / Mozilla Firefox
              Ubuntu 14.04 / Mozilla Firefox
 
# CVE: CVE-2014-4710
 
######################
 
# Vulnerability Disclosure Timeline:
 
2014-06-15:  Discovered vulnerability
2014-06-23:  Vendor Notification (Support e-mail address)
2014-07-25:  Public Disclosure
 
# Description
 
ZeroCMS is a very simple Content Management System Built using PHP and
MySQL.
 
The application does not validate any input to the "Full Name", "Email
Address", "Password" or "Confirm Password" functionality. It saves this
unsanitized input in the backend databased and executes it when visiting
the subsequent or any logged-in pages.
 
######################
 
# Steps to reproduce the vulnerability
 
1) Visit the "Create Account" page (eg.
http://localhost/zerocms/zero_transact_user.php)
 
2) Enter your favourite XSS payload and click on "Create Account"
 
3) Enjoy!
 
More information:
https://community.qualys.com/blogs/securitylabs/2014/07/24/yet-another-zerocms-cross-site-scripting-vulnerability-cve-2014-4710
 
#####################
 
Thanks,
Mayuresh.

<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ZeroCMS 1.0 Cross Site Scripting

Vulmon Search

About

Products

Connect