Advisory: Reflecting XSS vulnerability in CMS Croogo v.2.2.0 Advisory ID: SROEADV-2015-02 Author: Steffen Rösemann Affected Software: CMS Croogo v.2.20 Vendor URL: https://croogo.org Vendor Status: solved CVE-ID: - ========================== Vulnerability Description: ========================== The filemanager functionality in the administrative backend of CMS Croogo v. 2.2.0 is prone to reflecting XSS attacks. ================== Technical Details: ================== The filemanager of a common Croogo installation is located here: http:// {TARGET}/admin/file_manager/file_manager/editfile?path=%2FApplications%2FXAMPP%2Fxamppfiles%2Fhtdocs%2Fcroogo-2.2.0%2Fpackage.json By appending arbitrary HTML- and/or JavaScriptcode to existing filenames, it gets rendered in the generated webpage. It seems not to be working by appending code to existing directory names. Exploit-Example: http://{TARGET}/admin/file_manager/file_manager/editfile?path=%2FApplications%2FXAMPP%2Fxamppfiles%2Fhtdocs%2Fcroogo-2.2.0%2Fpackage.json