Security Advisory - Curesec Research Team 1. Introduction Affected Product: redaxscript 2.5.0 Fixed in: 2.6.1 Fixed Version Link: http://redaxscript.com/files/releases/ redaxscript_2.6.1_full.zip Vendor Contact: info@redaxmedia.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to 12/02/2015 public: Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description There is a persistent XSS vulnerability when leaving comments. It requires the admin to hover over a link to trigger the injected code. This issue can lead to the injection of JavaScript keyloggers, or the bypassing of CSRF protection. In this case, this may lead to code execution. The issue has been partially fixed in version 2.6.0. However, it was still possible to inject a style attribute, making XSS in older browsers possible. This has been fixed in version 2.6.1. 3. Proof of Concept 1. Create a comment, as comment text use: comment" onmouseover=alert(1) foo=" 2. In the sidebar, hover over the comment to trigger the XSS. 4. Solution To mitigate this issue please upgrade at least to version 2.6.1: http://redaxscript.com/files/releases/redaxscript_2.6.1_full.zip Please note that a newer version might already be available. 5. Report Timeline 10/02/2015 Informed Vendor about Issue 11/15/2015 Vendor releases partial fix 11/24/2015 Informed vendor that fix is incomplete 11/25/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/redaxscript-250-XSS-118.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany