Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Mojoportal Multiple Vulnerabilities

############################################################

[CVE-2023-24322] Reflected Cross-site Scripting (XSS)
- Description: A reflected Cross-site Scripting (XSS) vulnerability was discovered in the FileDialog.aspx component of mojoPortal v2.7 allows unauthenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the 'ed' and 'tbi' parameters.
- Vulnerability Type: Cross-site Scripting (XSS)
- Vendor of Product: i7MEDIA, LLC
- Affected Product Code Base: Mojoportal - v2.7
- Attack Type: Remote
- Author: Blakduk
- PoC: https://youtu.be/a-Fl5dfnDnc
- Reference:
https://www.mojoportal.com/
https://github.com/i7MEDIA/mojoportal

############################################################

[CVE-2023-24323] XML External Entity (XXE) injection
- Description: mojoPortal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability
- Attack Vectors: To exploit this vulnerability, authenticated user must in "Content Administrators" or "Administrators" role or user must have "Edit Content and Style Templates" permission
- Vulnerability Type: XML External Entity (XXE)
- Vendor of Product: i7MEDIA, LLC
- Affected Product Code Base: Mojoportal - v2.7
- Attack Type: Remote
- Author: Blakduk
- PoC: https://youtu.be/GhMLACuFjL4
- Reference:
https://www.mojoportal.com/
https://github.com/i7MEDIA/mojoportal

############################################################

[CVE-2023-24687] Stored Cross-site Scripting (XSS)
- Description: mojoPortal v2.7 was discovered to contain a Stored Cross-site Scripting (XSS) vulnerability in the Company info Settings component. This vulnerability allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "txtCompanyName" parameter
- Vulnerability Type: Cross-site Scripting (XSS)
- Vendor of Product: i7MEDIA, LLC
- Affected Product Code Base: Mojoportal - v2.7
- Attack Type: Remote
- Author: Blakduk
- Reference:
https://www.mojoportal.com/
https://github.com/i7MEDIA/mojoportal

############################################################

[CVE-2023-24688] User Registration Restriction Bypass
- Description: An issue in mojoPortal v2.7 allows unauthenticated attacker to register a new user even if "Allow User Registrations" feature is disabled
- Vendor of Product: i7MEDIA, LLC
- Affected Product Code Base: Mojoportal - v2.7
- Attack Type: Remote
- Author: Blakduk
- PoC: https://youtu.be/-7UfEQ0XtLY
- Reference:
https://www.mojoportal.com/
https://github.com/i7MEDIA/mojoportal

############################################################

[CVE-2023-24689] Directory Traversal
- Description: An issue in mojoPortal v2.7 and below allows an authenticated attacker to list all css files inside the root path of the webserver via manipulation of the 's' paramter in ManageSkin.aspx
- Vulnerability Type: Directory Traversal
- Vendor of Product: i7MEDIA, LLC
- Affected Product Code Base: Mojoportal - v2.7
- Attack Type: Remote
- Author: Blakduk
- Reference:
https://www.mojoportal.com/
https://github.com/i7MEDIA/mojoportal