login.php is not included inside
pulse\admin\inc\gal-sort.php so anyone can access this file.
So we control
../../content/media/". $gallery ."/gallery.txt content.
Because datas from
gallery.txt are used in gallery we can put XSS there.
Proof of Concept:
XSS will be visible on the page where gallery is displayed.
- 26-11-2014: Discovered
- 26-11-2014: Vendor notified
- 27-11-2014: Version 4.2.1 released, issue resolved