← Back to vulnerability index

Cross Site Scripting for Batavi version 1.2.2

Dogn├Ždis Ref.: DGS-SEC-18

CVE Ref: CVE-2013-2289

Release Date: 2013/03/01

Discover Credits: CodeV - Code Analyzer

Bulletin Author(s): AMPP - CodeV Team

Contact: [email protected]

Type: Cross Site Scripting

Level: High (Low/High/Critical)

CVSS: 3.4 (Av:N/AC:L/Au:S/C:C/I:P/A:N)

Vulnerable Application: Batavi version 1.2.2

All the open source ecommerce you'll ever need, in one package.


File: /admin/templates/default.php Vulnerable Argument(s): $btv_Template->getPageTitle()

line 149: echo '<h1>' . btv_link_object(btv_href_link_admin(FILENAME_DEFAULT, btv_get_all_get_params(array('action'))), $btv_Template->getPageTitle()) . '</h1>'

Proof(s) of Concept:
<root>/admin/index.php?file_manager&file_manager&"><script>alert(123)</script></a><a href="


Generally, by exploiting this kind of vulnerability, it might be possible to achieve possible attack vectors to various kinds of attacks such as:
- Session/Cookie theft
- Account Hijacking
- Identity theft
- Accessing confidential resources
- Accessing pay content
- Account Denial of service

Aiming a correct resolution of the identified vulnerability, the data obtained through the input argument should be properly sanitized for HTML and following ECMAS usage.

Official Solution:
At the moment, there is no official solution for the reported vulnerability.

External References:

Download the Vulnerability Report (PDF)

← Back to vulnerability index