Exponent CMS 2.6.0 patch2 - Stored XSS (User-Agent)
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Exponent CMS 2.6.0 patch2 - Stored XSS (User-Agent)
Code name
State
Public
Release date
Feb 3, 2022
Affected product
Exponent CMS
Affected version(s)
v2.6.0 patch2
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS v3.1 base score
5.4
Exploit available
No
CVE ID(s)
Description
Exponent CMS 2.6.0 patch2 allows an authenticated user to inject persistent javascript code on the User-Agent when logging in. When an administratoruser visits the 'User Sessions' tab, the javascript will be triggered allowingan attacker to compromise the administrator session.
Proof of Concept
Use a Web proxy or a tool to modify the browser User-agent with the following PoC.
Try to login with a non-admin user.
If an admin user visits 'User Management' > 'User Sessions' the XSS will be triggered.
A non-admin user may compromise an admin session by exploiting this vulnerability.
System Information:
Version: Exponent CMS 2.6.0 patch2.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: Mysql
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-02-03 there is not a patch resolving the issue.
References
Timeline
Jan 25, 2022
Vulnerability discovered
Jan 25, 2022
Vendor contacted
Feb 3, 2022
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
