Name : XSS Vulnerability in KajonaCMS
Software : KajonaCMS v4 and possibly below.
Vendor Homepage :
Vulnerability Type : Cross-site Scripting
Severity : Critical
Researcher : Omar Kurt
Advisory Reference : NS-14-023

Kajona is a content management framework based on PHP5 and published as an open source project under the LGPL license. The roots of the project are going back to 2004 as collected programming solutions where combined into a library. The idea of a web content management framework was born – followed by version 2.0 in 2005 and 2.1 in the beginning of 2006. Version 3.0 was published with a complete code rewrite in 2006.

KajonaCMS is affected by XSS vulnerability in version v4.

KajonaCMS PoC urls are as follows :

  • Cross-site Scripting';"--></style></scRipt><scRipt>alert(0x0001EE)</scRipt>&action=mediaFolder (Querystring)

You can read the full article about Cross-site Scripting vulnerabilities from here :


Advisory Timeline

05/06/2014 - First Contact
07/06/2014 - Second Contact
08/06/2014 - Vulnerability fixed
23/06/2014 - Advisory released

It has been discovered on testing of Netsparker Web Application Security Scanner.

About Netsparker
Netsparker® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner.