Yab Quarx CVE-2018-7274 Multiple HTML Injection Vulnerabilities

Yab Quarx is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Successful exploits will result in the execution of arbitrary attacker-supplied HTML and script code in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the page is rendered to the user. Other attacks are also possible.

Quarx through 2.4.3 are vulnerable.

Information

Bugtraq ID: 103081
Class: Input Validation Error
CVE: CVE-2018-7274

Remote: Yes
Local: No
Published: Feb 20 2018 12:00AM
Updated: Feb 20 2018 12:00AM
Credit: Preethi Koroth (@p3core0ath)
Vulnerable: Yab Quarx 2.4.3
Yab Quarx 2.4.2
Yab Quarx 2.4.1
Yab Quarx 2.4
Yab Quarx 2.0
Yab Quarx 1.4.18
Yab Quarx 1.2
Yab Quarx 0.1

Not Vulnerable: Yab Quarx 2.4.6
Yab Quarx 2.4.5

Exploit

Attackers can exploit these issues using browser or readily available tools.

References:

• Quarx CMS Homepage (Yab)
  
• Quarx Multiple Persistent Cross-Site Scripting Vulnerabilities #115 (Git)
  
• Multiple Persistent Cross-Site Scripting Vulnerabilities in Quarx CMS (Seclist.org)
  

Source: www.securityfocus.com