What this actually is.
Technical background, root cause, and affected surface.
A cross-site scripting vulnerability was identified on the Bedita CMS 3.6.0 Publication module. An XSS attack occurs via a crafted pages/showObjects URI, as demonstrated by appending a payload to a pages/showObjects/2/0/0/leafs URI.
- Vendor
- BEdita
- Affected Product
- BEdita
- CVE
- CVE-2015-9260
- Securin ID
- 2015-CSW-10-1010
- Status
- Fixed
- Date
- October 14, 2015
- Severity
- Medium
- CVSS Score
- 5.4
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-79
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
Issue: The POST request URL http://192.168.56.104/bedita/beditaapp/pages/showObjects/2/0/0/leafs of Bedita CMS 3.6.0 is vulnerable to Cross-Site Scripting (XSS).
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Download the latest updated version of Bedita and apply the update as per vendor advisory.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
Reported to Vendor
Vendor Responded
Vendor Responded “Under Investigation”
Follow up Email
Vendor Released Fixed
CVE Assigned
Disclosed 58 days after discovery
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.