SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2015-9549
    ▲ MediumCVSS 6.1✓ PatchedEPSS 0.00403%

    Reflected Cross-Site Scripting in OcPortal CMS

    A reflected Cross-site Scripting (XSS) vulnerability exists in OcPortal 9.0.20 via the OCF_EMOTICON_CELL.tpl FIELD_NAME field to data/emoticons.php.

    CVE IDCVE-2015-9549
    CVSS v3.16.1 Medium
    VendorOcPortal
    CWECWE-79
    DisclosedNov 6, 2015
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    A reflected cross-site scripting vulnerability identified on OcPortal CMS 9.0.20. An input variable vulnerable to XSS is ‘field_name’ in the CF_EMOTICON_CELL.tplfile.\ocportal\themes\default\templates\OCF_EMOTICON_CELL.tpl.

    Vendor
    OcPortal
    Affected Product
    OcPortal
    CVE
    CVE-2015-9549
    Securin ID
    2015-CSW-10-1013
    Status
    Fixed
    Date
    November 6, 2015
    Severity
    Medium
    CVSS Score
    6.1
    Vector
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    CWE
    CWE-79
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    6.1CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    ScopeChanged
    ImpactC:L / I:L / A:N
    SeverityMedium

    As per the documentation of the Ocportal, a value in a template that is not meant to contain HTML is marked as an escaped value ({VALUE*}). This means that ‘HTML entities’ are put in replacement of HTML control characters.

    PoC · Exploitation Steps▲ trigger
    01Here the VALUE that is marked with * symbol will be filtered with the XSS filter, and it will be sanitized before displaying it to the user, but they forgot to mark FIELD_NAME in OCF_EMOTICON_CELL.tplfile.\ocportal\themes\default\templates\OCF_EMOTICON_CELL.tpl02The View_all link beside the emoticons in the following screen is having this FIELD_NAME variable.03The View_all link is sending the following GET request to the server04The following is the source code of emoticons.php file\ocportal\data\emotions.php05The following is the code related to emoticons_script function in misc_scritps.php file\ocportal\sources\misc_scripts.php\ocportal\sources\misc_scripts.php06Code that is loading the template file with the user-entered input \ocportal\sources\misc_scripts.php07This code is reading the GET request parameter field_name and displaying it back to the user without filtering because of the variable is not marked with * symbol. Obviously, it will not go for any filtration.08GET request to emoticons.php with script vector as the value of field_name09And the inserted payload is reflecting back to the user, as shown in the following screen.
    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    A reflected cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the emotions.php by providing XSS payload as a value for field_name.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Download the latest version and update it as per the vendor advisory.

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9549, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Nov 06, 2015

    Reported to Vendor

    Nov 06, 2015

    Vendor Response

    Nov 07, 2015

    Vendor Released Fixed

    Nov 13, 2015

    Public Disclosure

    Aug 08, 2020

    CVE Assigned

    Disclosed 1 day after discovery

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2015-9549

    nvd.nist.gov/vuln/detail/CVE-2015-9549 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum