CVE-2015-1373

Multiple cross-site scripting (XSS) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter in a search request, (2) username in a login request, which is not properly handled when logging the event, or (3) page title in an insert action.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://seclists.org/fulldisclosure/2015/Jan/98	Exploit
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html	Exploit
http://www.openwall.com/lists/oss-security/2015/01/23/3	Exploit
http://www.securityfocus.com/bid/72287
https://github.com/JRogaishio/ferretCMS/issues/63
http://seclists.org/fulldisclosure/2015/Jan/98	Exploit
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html	Exploit
http://www.openwall.com/lists/oss-security/2015/01/23/3	Exploit
http://www.securityfocus.com/bid/72287
https://github.com/JRogaishio/ferretCMS/issues/63

Configurations

Configuration 1 (hide)

cpe:2.3:a:ferretcms_project:ferretcms:1.0.4:alpha:*:*:*:*:*:*

History

21 Nov 2024, 02:25

Type	Values Removed	Values Added
References	~~() http://seclists.org/fulldisclosure/2015/Jan/98 - Exploit~~	() http://seclists.org/fulldisclosure/2015/Jan/98 - Exploit
References	~~() http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html - Exploit~~	() http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html - Exploit
References	~~() http://www.openwall.com/lists/oss-security/2015/01/23/3 - Exploit~~	() http://www.openwall.com/lists/oss-security/2015/01/23/3 - Exploit
References	~~() http://www.securityfocus.com/bid/72287 -~~	() http://www.securityfocus.com/bid/72287 -
References	~~() https://github.com/JRogaishio/ferretCMS/issues/63 -~~	() https://github.com/JRogaishio/ferretCMS/issues/63 -

Information

Published : 2015-01-27 20:04

Updated : 2025-04-12 10:46

NVD link : CVE-2015-1373

Mitre link : CVE-2015-1373

CVE.ORG link : CVE-2015-1373

JSON object : View

Products Affected

ferretcms_project

ferretcms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2015-1373", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2015-01-27T20:04:31.340", "references": [{"url": "http://seclists.org/fulldisclosure/2015/Jan/98", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2015/01/23/3", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/72287", "source": "cve@mitre.org"}, {"url": "https://github.com/JRogaishio/ferretCMS/issues/63", "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2015/Jan/98", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-10.html", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2015/01/23/3", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/72287", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/JRogaishio/ferretCMS/issues/63", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter in a search request, (2) username in a login request, which is not properly handled when logging the event, or (3) page title in an insert action."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en admin.php en ferretCMS 1.0.4-alpha permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s (1) del par\u00e1metro action en una solicitud de b\u00fasqueda, (2) del nombre de usuario en una solicitud de inicio de sesi\u00f3n, lo cual no se maneja correctamente cuando se registra el evento, o (3) del t\u00edtulo de la p\u00e1gina en una acci\u00f3n de insertar."}], "lastModified": "2025-04-12T10:46:40.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ferretcms_project:ferretcms:1.0.4:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F3823A0-A21A-49DE-B972-F2C9B8F8B798"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

4.3 /10