Document Title: =============== Contenido v4.9.11 - (Backend) Multiple XSS Vulnerabilities References (Source): ==================== Release Date: ============= 2016-10-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1928 Common Vulnerability Scoring System: ==================================== 3.7 Product & Service Introduction: =============================== The German-language open source web content management system for (multilingual) platforms and portals. Individual adjustments, new functions and seamless integration into complex IT systems in the company are readily realizable. Integrated communication via different channels, automatically manage content and represent optimal - even for mobile devices like tablets or smartphones (copy of the Vendor Homepage: ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple client-side cross site scripting vulnerabilities in the Contenido v4.9.11 content management system. Vulnerability Disclosure Timeline: ================================== 2016-10-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Four for Business AG Product: Contenido - Content Management System (Web-Application) 4.9.11 Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ Multiple client-side cross site vulnerabilities has been discovered in the official Contenido v4.9.11 content management system component. The non-persistent cross site vulnerability allows remote attackers to inject own malicious script code to client-side web-application requests. The sql-injection vulnerabilities are located in the `filter`, `action`, `year`, `subject` and `idtpl` parameters of the `main.php` backend file. The request method to inject malicious script code is GET and the attack vector is located to the client-side of the web-application. Attackers are able to trigger the payload in client-side requests to compromise session credentials of administrators, moderators or other user accounts. The security risk of the client-side xss vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.7. Exploitation of the non-persistent cross site scripting web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] GET Vulnerable Module(s): [+] com_adagency Vulnerable File(s): [+] main.php Vulnerable Parameter(s): [+] filter [+] action [+] year [+] subject [+] idtpl Proof of Concept (PoC): ======================= The client-side xss web vulnerabilities can be exploited by remote attackers without privileged web-application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Payload "> PoC: Vulnerable Source (action)