[VIM] CMSLogik XSS - not a vuln, or maybe CSRF?
Christey, Steven M.
coley at mitre.org
Thu May 2 09:00:10 CDT 2013
Researcher: LiquidWorm
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5136.php
http://packetstormsecurity.com/files/121303/CMSLogik-1.2.1-Cross-Site-Scripting.html
This XSS seems to be targeting admin-only functionality, such as cmslogik/admin/settings, inserting the XSS into an admin_email parameter and header-title parameter. Seems like an admin would probably already have privileges to insert HTML if they want. So it doesn't seem like this would cross privilege boundaries, yet (a) it's LiquidWorm and (b) he says the vendor is working on a patch.
Is this really CSRF at the core?
- Steve
More information about the VIM
mailing list