what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VuFind 1.0 Cross Site Scripting

VuFind 1.0 Cross Site Scripting
Posted Sep 26, 2015
Authored by Jing Wang

VuFind version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | e11f4bce9e7156498d91762f5acc3c7dc73d048e47fec232b6e4c2456ec7e884

VuFind 1.0 Cross Site Scripting

Change Mirror Download
*VuFind 1.0 **Web Application **Reflected XSS (Cross-site Scripting) 0-Day
Bug Security Issue*

Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web
Security Vulnerability
Product: VuFind
Vendor: VuFind
Vulnerable Versions: 1.0
Tested Version: 1.0
Advisory Publication: September 20, 2015
Latest Update: September 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]

*Suggestion Details:*

*(1) Vendor & Product Description:*


*Product & Vulnerable Versions:*

*Vendor URL & Download:*
Product can be obtained from here,

*Product Introduction Overview:*
"VuFind is a library resource portal designed and developed for libraries
by libraries. The goal of VuFind is to enable your users to search and
browse through all of your library's resources by replacing the traditional
OPAC to include: Catalog Records, Locally Cached Journals, Digital Library
Items, Institutional Repository, Institutional Bibliography, Other Library
Collections and Resources. VuFind is completely modular so you can
implement just the basic system, or all of the components. And since it's
open source, you can modify the modules to best fit your need or you can
add new modules to extend your resource offerings. VuFind runs on Solr
Energy. Apache Solr, an open source search engine, offers amazing
performance and scalability to allow for VuFind to respond to search
queries in milliseconds time. It has the ability to be distributed if you
need to spread the load of the catalog over many servers or in a server
farm environment. VuFind is offered for free through the GPL open source
license. This means that you can use the software for free. You can modify
the software and share your successes with the community! Take a look at
our VuFind Installations Wiki page to see how a variety of organizations
have taken advantage of VuFind's flexibility. If you are already using
VuFind, feel free to edit the page and share your accomplishments. "

*(2) Vulnerability Details:*
VuFind web application has a computer security problem. Hackers can exploit
it by reflected XSS cyber attacks. This may allow a remote attacker to
create a specially crafted request that would execute arbitrary script code
in a user's browser session within the trust relationship between their
browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug researchers before. VuFind has patched some of them. "scip
AG was founded in 2002. We are driven by innovation, sustainability,
transparency, and enjoyment of our work. We are completely self-funded and
are thus in the comfortable position to provide completely independent and
neutral services. Our staff consists of highly specialized experts who
focus on the topic information security and continuously further their
expertise through advanced training".

*(2.1)* The code flaw occurs at "lookfor?" parameter in
"/vufind/Resource/Results?" page.

Some other researcher has reported a similar vulnerability here and VuFind
has patched it.

*(3) Solution:*
Update to new version.


Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    12 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By