[VIM] CMSLogik XSS - not a vuln, or maybe CSRF?

Christey, Steven M. coley at mitre.org
Thu May 2 09:00:10 CDT 2013

Researcher: LiquidWorm

This XSS seems to be targeting admin-only functionality, such as cmslogik/admin/settings, inserting the XSS into an admin_email parameter and header-title parameter.  Seems like an admin would probably already have privileges to insert HTML if they want.  So it doesn't seem like this would cross privilege boundaries, yet (a) it's LiquidWorm and (b) he says the vendor is working on a patch.

Is this really CSRF at the core?

- Steve

More information about the VIM mailing list