← Advisories

Hero Framework 3.69 Remote Reflected Cross-Site Scripting Vulnerability

Medium

Advisory ID

ZSL-2011-5061

Release Date

01 December 2011

Vendor

Electric Function, Inc. - http://www.heroframework.com

Affected Version

3.69

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.21, MySQL 5.5.16, PHP 5.3.8

Summary

Hero (formerly Caribou CMS) is a white label, open source PHP website content management system (CMS) and development platform.

Description

Hero suffers from a XSS vulnerability when parsing user input to the 'month' parameter via GET method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

hero_xss.txtTXT

Disclosure Timeline

29.11.2011Vulnerability discovered.

29.11.2011Initial contact with the vendor, PoC sent.

29.11.2011Vendor releases a fix.

01.12.2011Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.heroframework.com/changelog

[2]http://packetstormsecurity.org/files/107443

[3]http://www.securityfocus.com/bid/50878

[4]http://secunia.com/advisories/47051/

[5]http://osvdb.org/show/osvdb/77462

[6]http://xforce.iss.net/xforce/xfdb/71587

Changelog

01.12.2011Initial release

02.12.2011Added reference [3] and [4]

03.12.2011Added reference [5]

04.12.2011Added reference [6]