CVE-2013-3515

OpenX < 2.8.10 - Cross-Site Scripting via Package or Group Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-3515. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates a Local File Inclusion (LFI) vulnerability in OpenX via the 'group' parameter in plugin-preferences.php and plugin-settings.php, allowing arbitrary file inclusion and execution. It also includes Cross-Site Scripting (XSS) examples via the 'package' and 'group' parameters in plugin-index.php and plugin-settings.php.

Description

Multiple cross-site scripting (XSS) vulnerabilities in OpenX Source 2.8.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) package parameter to www/admin/plugin-index.php or the (2) group parameter to www/admin/plugin-settings.php.

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/26624

View Code ZIP pw:eip

The exploit demonstrates a Local File Inclusion (LFI) vulnerability in OpenX via the 'group' parameter in plugin-preferences.php and plugin-settings.php, allowing arbitrary file inclusion and execution. It also includes Cross-Site Scripting (XSS) examples via the 'package' and 'group' parameters in plugin-index.php and plugin-settings.php.

Classification

Working Poc 100%

Attack Type

Lfi | Xss

Complexity

Trivial

Reliability

Reliable

Target: OpenX 2.8.10 and prior

Auth required

Prerequisites: Administrative access or CSRF to trick an admin into executing the exploit

MITRE ATT&CK