Info

Disclosure

Dec 17, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

AWF-CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "page" variable upon submission to multiple template scripts. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored / Private
OSVDB: Web Related

Solution

Upgrade to version 2.10-beta3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

AWF-CMS Development Team	AWF-CMS	2.01
		2.10-beta

References

Related OSVDB ID: 21915
Other Advisory URL: http://pridels.blogspot.com/2005/12/awf-adaptive-website-framework-vuln.html
CVE ID: 2005-4372 (see also: NVD)
Vendor URL: http://www.awf-cms.org

Credit

r0t - krustevsgooglemail.com - UNSECURED SYSTEMS

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

AWF-CMS Development Team

AWF-CMS

References

Credit