Tendoo CMS Stored And Reflected Xss Vulnerability

vendor:

Tendoo CMS

by:

Arash Khazaei

8.8

CVSS

HIGH

Stored and Reflected XSS

CWE

Product Name: Tendoo CMS

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: NO

Related CWE: N/A

CPE: a:tendoo_cms:tendoo_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Kali, Windows

2015

Tendoo CMS Stored And Reflected Xss Vulnerability

A Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .

Mitigation:

Input validation and output encoding should be used to prevent XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability
# Google Dork: N/A
# Date: 28/7/2015
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://tendoo.org/
# Software Link: http://sourceforge.net/projects/tendoo-cms/
# Version: 1.3
# Tested on: Kali , Windows
# CVE : N/A
# Contact : 0xclay@gmail.com

######################
Introduction :
a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS
Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .
######################

Stored Xss In http://localhost/tendoo/index.php/account/update In First
Name and Last Name Inputs
Excute Java Script Codes And If Admin Or Any Body Come In Attacker Profile
When First Name And Last Name Loads
JavaScripts Code Will Be Excuted
POC :

https://i.leetfil.es/e992ad2d.jpg

Discovered By Arash Khazaei