Headline
CVE-2017-20122: Cross-Site Scripting vulnerability in Bitrix Site Manager
A vulnerability classified as problematic was found in Bitrix Site Manager 12.06.2015. Affected by this vulnerability is an unknown functionality of the component Contact Form. The manipulation of the argument text with the input <img src="http://1"; on onerror="$(’p’).text(’Hacked’)" /> leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives
From: “MustLive” <mustlive () websecurity com ua>
Date: Tue, 31 Jan 2017 23:55:21 +0200
Hello list!
There is Cross-Site Scripting vulnerability in Bitrix Site Manager.
Affected products:
Vulnerable was the last version of Bitrix Site Manager at 12.06.2015, when I found this vulnerability on web site of Russian terrorists. At that time I wrote at Facebook about hack by Ukrainian Cyber Forces of that site http://on.fb.me/1H05ccm and published results of our work with it.
You can read about work of Ukrainian Cyber Forces (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2017-January/010833.html).
---------- Details:
Cross-Site Scripting (WASC-08):
This is persistent XSS in field “text” in contact form (captcha protected):
<img src="http://1"; on onerror="$(’p’).text(’Hacked’)" />
At 31.12.2016 I disclosed it at my site (http://websecurity.com.ua/7826/).
Best wishes & regards, MustLive Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Cross-Site Scripting vulnerability in Bitrix Site Manager MustLive (Feb 01)