XSS Vulnerability in KajonaCMS
Advisory by Netsparker (now Invicti)
Name: XSS Vulnerability in KajonaCMS
Software: KajonaCMS v4 and possibly below.
Vendor Homepage: http://www.kajona.de/
Vulnerability Type: Cross-site Scripting
Researcher: Omar Kurt
Advisory Reference: NS-14-023
Kajona is a content management framework based on PHP5 and published as an open-source project under the LGPL license. The roots of the project are going back to 2004 as collected programming solutions where combined into a library. The idea of a web content management framework was born – followed by version 2.0 in 2005 and 2.1 in the beginning of 2006. Version 3.0 was published with a complete code rewrite in 2006.
KajonaCMS is affected by XSS vulnerability in version v4.
KajonaCMS PoC urls are as follows:
- Cross-site Scripting
You can read the full article about Cross-site Scripting vulnerabilities from here:
05/06/2014 – First Contact
07/06/2014 – Second Contact
08/06/2014 – Vulnerability fixed
23/06/2014 – Advisory released
It has been discovered on testing of Invicti Web Application Security Scanner.
Invicti® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Invicti’s unique detection and exploitation techniques allows it to be dead accurate in reporting hence it’s the first and the only False Positive Free web application security scanner.