Info

Last Modified

2 months ago

Percent Complete

60%

Disclosure

Feb 12, 2008

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Keywords

Description

Tendenci CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "category","searchtext", "jobcategoryid, and "contactcompany" variables upon submission to the search.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch
Exploit: Exploit Available
Disclosure: Vendor Verified
OSVDB: Web Related

Products

Unknown or Incomplete

References

CVE ID: 2008-0793 (see also: NVD)
Bugtraq ID: 27782
Secunia Advisory ID: 28882
Vendor Specific News/Changelog Entry: http://blog.tendenci.com/2008/02/cross-site-scri.html

Credit

Russ McRee - holisticinfosec.org

Blogs

Provided by Technorati

2008/02/16 18:45:06 | CVE-2008-0793 (CMS)

from: Badware Watch

Multiple cross-site scripting (XSS) vulnerabilities in search.asp in Tendenci CMS allow remote attackers to inject arbitrary web script or HTML via the (1) category, (2) searchtext, (3) jobcategoryid, (4) contactcompany, and unspecified other parameters. NOTE: some of these details are obtained from third party information

Views This Week

Views All Time

Info

Last Modified

Percent Complete

Disclosure

Discovery

Dates

Exploit

Solution

Keywords

Description

Classification

Products

References

Credit

Blogs

Comments