|
|
Info |
Last Modified |
| 10 months ago |
|
|
|
|
Description |
CMSimple Content Management System contains flaws that allow a remote cross site scripting attack. These flaws exist because the application does not validate user-supplied variables upon submission to the search and guestbook modules. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Rumored / Private
Disclosure:
OSVDB Verified
|
|
Technical |
An exploit in this module could lead to loss of integrity as it could expose user cookies (including authentication cookies), data supplied via a web form on the site. In addition, the attacker could perform actions that the owner of the account the CMS is privileged to run.
Since version 2.4 beta 5, the htmlspecialchars() routine filters out exploiting javascript and other code in the search and guestbook modules thus removing this hole.
|
|
Solution |
Upgrade to version 2.4 Beta 5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
|
|
Products |
|
Content Management System
 |
2.4 beta 5 |
1.0 |
1.1 |
1.2 |
1.3 beta 1 |
1.3 beta 2 |
beta 2 |
Beta 1 |
2.0 Beta 1 |
2.0 Beta 2 |
2.0 Beta 3 |
2.0 Beta 4 |
2.2 |
2.3 Beta 1 |
2.3 Beta 2 |
2.3 Beta 3 |
2.3 Beta 4 |
2.3 Beta 5 |
2.3 |
2.4 Beta 1 |
2.4 Beta 2 |
2.4 Beta 3 |
2.4 Beta 4 |
2.1 |
2.4 Beta |
2.2 Beta 1 |
2.2 Beta 2 |
2.2 Beta 3 |
2.2 Beta 4 |
|
|
|
|
|
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
