Open bestshow opened 7 years ago
Thanks for notify, I will publish fix for 0.4.1 and 0.5.0 branches.
Could you please help me assign a CVE for this issue?
How about PE-2017-0000001 ?
Hi: Many thanks for your reply.
Bests.
Please note that is not a CVE assignment. It should be treated as a vendor-specific tracking ID. MITRE assigned CVE-2017-5960 to this.
Procuct: Phalcon Eye Vendor: Phalcon (https://phalconphp.com/) Vunlerable Version: 0.4.1 and probably prior Tested Version: 0.4.1 Author: ADLab of Venustech
Advisory Details: I have discovered Multiple Cross-Site Scripting (XSS) in Phalcon Eye, which can be exploited to add,modify or delete information in application`s database and gain complete control over the application.
The vulnerability exists due to insufficientfiltration of user-supplied data in multiple HTTP GET parameters passed to “phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php” url. An attacker could execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation examples below uses the "alert()" JavaScript function to see a pop-up messagebox: (1) http://localhost/testcmsofgithub/phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php?token=%22%22);}%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3Efunction%20nopfun(){// (2) http://localhost/testcmsofgithub/phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php?file=%22%22);}%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3Efunction%20nopfun(){//