← Advisories

Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities

Medium
Advisory ID
ZSL-2016-5314
Release Date
05 April 2016
Vendor
Asbru Ltd. - http://www.asbrusoft.com
Affected Version
9.2.7
CVE
N/A
Tested On
Apache Tomcat/5.5.23, Apache/2.2.3 (CentOS)
Summary

Ready to use, full-featured, database-driven web content management system (CMS) with integrated community, databases, e-commerce and statistics modules for creating, publishing and managing rich and user-friendly Internet, Extranet and Intranet websites.

Description

Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.

Proof of Concept
asbru_mv.txtTXT
Disclosure Timeline
09.03.2016Vulnerability discovered.
16.03.2016Vendor contacted.
16.03.2016Vendor responds asking more details.
16.03.2016Sent details to the vendor.
30.03.2016Asked vendor for status update.
04.04.2016No response from the vendor.
05.04.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/136591
[2]https://cxsecurity.com/issue/WLB-2016040038
[3]https://www.exploit-db.com/exploits/39667/
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/112031
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/112035
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/112036
[7]https://exchange.xforce.ibmcloud.com/vulnerabilities/112037
Changelog
05.04.2016Initial release
06.04.2016Added reference [1], [2] and [3]
08.04.2016Added reference [4], [5], [6] and [7]