CVE-2015-1422

Gecko CMS 2.2-2.3 - Cross-Site Scripting via Multiple Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1422. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Gecko CMS 2.3, including CSRF for admin creation, stored and reflected XSS, and SQL injection. It provides specific payloads and parameters for exploitation.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) jak_img, (11) jak_javascript, (12) jak_lcontent, (13) jak_name, (14) jak_password, (15) jak_showcontact, (16) jak_tags, (17) jak_title, (18) jak_url, (19) jak_username, (20) real_hook_id[], (21) sp, (22) sreal_plugin_id[], (23) ssp, or (24) sssp parameter to admin/index.php or the (25) editor, (26) field_id, (27) fldr, (28) lang, (29) popup, (30) subfolder, or (31) type parameter to js/editor/plugins/filemanager/dialog.php.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/35767

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in Gecko CMS 2.3, including CSRF for admin creation, stored and reflected XSS, and SQL injection. It provides specific payloads and parameters for exploitation.

Classification

Working Poc 100%

Attack Type

Xss | Sqli | Csrf

Complexity

Trivial

Reliability

Reliable

Target: Gecko CMS 2.3 and 2.2

Auth required

Prerequisites: Access to admin interface · Valid session for CSRF

MITRE ATT&CK