Cross-Site Scripting (XSS) in Twilight CMS
|Vendor:||Strata Technologies LLC|
|Vulnerable Versions:||5.17 and probably prior|
|Advisory Publication:||July 24, 2013 [without technical details]|
|Vendor Notification:||July 24, 2013|
|Vendor Fix:||August 15, 2013|
|Public Disclosure:||August 21, 2013|
|Latest Update:||August 17, 2013|
|Vulnerability Type:||Cross-Site Scripting [CWE-79]|
|CVSSv2 Base Score:||4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered vulnerability in Twilight CMS, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
|The only version of Twilight CMS publicly available for download on the 24th of July (Vendor notification date) was 5.17.|
Vendor didn't reply to 12 notifications, however silently patched the vulnerability in version 5.24, which is now available for download on www.twl.ru (Russian version of Vendor website).
Update to version 5.24.
| High-Tech Bridge Advisory HTB23166 - https://www.htbridge.com/advisory/HTB23166 - Cross-Site Scripting (XSS) in Twilight CMS.|
 Twilight CMS - http://www.twilightcms.com/ - Twilight CMS is a convenient content management system.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.