CVE-2017-15287
published 2017-10-12CVE-2017-15287: There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dreambox devices, as demonstrated by the "Name des Bouquets" field, or the file parameter to…
PriorityP341medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
5.57%
91.9th percentile
There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dreambox devices, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bouqueteditor_project | bouqueteditor | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Dreambox Plugin BouquetEditor - Cross-Site Scripting
exploitdb·2017-10-12·CVSS 6.1
CVE-2017-15287 [MEDIUM] Dreambox Plugin BouquetEditor - Cross-Site Scripting
Dreambox Plugin BouquetEditor - Cross-Site Scripting
---
# Exploit Title: Vulnerability XSS - Dreambox
# Shodan Dork: Dreambox 200
# Date: 12/10/2017
# Exploit Author: Thiago "THX" Sena
# Vendor Homepage: https://www.dreamboxupdate.com
# Version: 2.0.0
# Tested on: kali linux, windows 7, 8.1, 10
# CVE : CVE-2017-15287
Vulnerabilty: Cross-site scripting (XSS) in plugin BouquetEditor
PoC:
- First you go to ( http://IP:PORT/bouqueteditor/ )
- Then you go to the Bouquets tab, add a new bouquet
- Then put the script (alert(1))
- Xss Vulnerability
Nuclei
Dreambox WebControl 2.0.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2017-15287 [MEDIUM] Dreambox WebControl 2.0.0 - Cross-Site Scripting
Dreambox WebControl 2.0.0 - Cross-Site Scripting
Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
Template:
id: CVE-2017-15287
info:
name: Dreambox WebControl 2.0.0 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: |
Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement,
2017-10-12
Published