Exponent CMS 2.6.0 patch2 - Stored XSS (User-Agent)
5,4
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Exponent CMS 2.6.0 patch2 - Stored XSS (User-Agent)
Code name
State
Public
Release date
3 de fev. de 2022
Affected product
Exponent CMS
Affected version(s)
v2.6.0 patch2
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS v3.1 base score
5.4
Exploit available
No
CVE ID(s)
Description
Exponent CMS 2.6.0 patch2 allows an authenticated user to inject persistent javascript code on the User-Agent when logging in. When an administratoruser visits the 'User Sessions' tab, the javascript will be triggered allowingan attacker to compromise the administrator session.
Proof of Concept
Use a Web proxy or a tool to modify the browser User-agent with the following PoC.
Try to login with a non-admin user.
If an admin user visits 'User Management' > 'User Sessions' the XSS will be triggered.
A non-admin user may compromise an admin session by exploiting this vulnerability.
System Information:
Version: Exponent CMS 2.6.0 patch2.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: Mysql
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-02-03 there is not a patch resolving the issue.
References
Timeline
Vulnerability discovered
25 de jan. de 2022
Vendor contacted
25 de jan. de 2022
Public disclosure
3 de fev. de 2022
