#444
  • Created on
    2013-07-26 03:03
  • Reported by
    -
  • Status
    Invalid
  • Priority
    Highest (1)
  • Assigned to
    skenow
  • Milestone
    -
  • Plan Level
    -
  • Permission type
    None
  • Due Date
    -

Attachments

Related Tickets

Add new subtask or bug

XSS Vulnerabilities: Advisory Reference : NS-13-004

https://www.mavitunasecurity.com/xss-vulnerabilities-in-impress-cms-content-module/

In the "Advisory Timeline" is written, the issue is not longer available, but I could not find code changes and we didn't publish a newer version.

What's going on? I would ask for clarification of the facts. Thank you.
User picture
  on 2013-07-27 15:48 *
By skenow
Status changed from New to Accepted
Prior to their publishing of this, @fiammy, @m0nty and I used their info and could not reprodue the issue.

I have reconfirmed this is a false positive report by downloading and installing the 1.3.4 Final zip package from SourceForge. I tried accessing the URI in the report 3 different times - prior to installation, after installation but before the module was installed, and after the module was installed. All 3 times there was no XSS script alert.

I've downloaded the evaluation copy of Netsparker, which was used to identify this "vulnerability" and ran it against a plain install of ImpressCMS 1.3.4 Final and the content module included in that release. The majority of the warnings issued were server configurations and outdated versions.

The URI listed in the vulnerability report passed without issue.
User picture
  on 2014-02-22 13:26 *
By David Janssens
Status changed from Accepted to Invalid
Logging this ticket as invalid, it could not be duplicated.