Document Title: =============== Composr CMS v10.0.0 - Cross Site Scripting Vulnerability Date: ===== 2017-06-08 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2066 VL-ID: ===== 2066 Common Vulnerability Scoring System: ==================================== 3.3 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Introduction: ============= Composr is a CMS with many social media features, for building modern, sophisticated websites. Composr supports many types of content (galleries, news/newsletters, etc.) - and integrating rich media and advertising into them. Social features include forums, member blogs, chat rooms, wiki, and content commenting/rating. (Copy of the Homepage: https://compo.sr/start.htm ) Abstract: ========= The vulnerability laboratory team discovered a non-persistent cross site vulnerability in the official Composr v10.0.0 content management system web-application. Report-Timeline: ================ 2017-06-08: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== ocProducts Ltd Product: Composr - Content Management System (Web-Application) v10.0.0 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A non-persistent cross site scripting vulnerability has been discovered in the official Composr v10.0.0 content management system web-application. The vulnerability allows remote attackers to inject own malicious script codes to client-side browser to web-application requests for compromise. The vulnerability is located in the `Error Exception` of the `Delete File` function. The remote attacker is able to inject own malicious code via GET method request in the `file` parameter to provoke an execution. The injection point is the `file` parameter and the execution point occurs in the error exception that displays the content to confirm a delete. The vulnerability is a classic cross site scripting issue with non-persistent attack vector by client-side exploitation. The error message content that is redisplayed is not properly parsed. The security risk of the cross site scripting vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the client-side cross site scripting vulnerability requires no privileged web-application user account and only low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious sources and non-persistent manipulation of affected or connected application modules. Request Method(s): [+] GET Vulnerable Module(s): [+] Delete File Parameter(s): [+] file Affected Module(s): [+] Error Exception-Handling Proof of Concept: ================= The cross site scripting vulnerability can be exploited by remote attackers with low or medium user interaction and without privileged user accounts. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Exploit