Info

Disclosure

Apr 17, 2010

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Apr 17, 2010

Description

GetSimple CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate input appended after the URL upon submission to the admin/upload.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Upgrade to revision r133 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

A Cagintranet Networks Production

GetSimple CMS

2.01

References

Secunia Advisory ID: 39464
Related OSVDB ID: 64042 64043 64044 64045 64046 64047 64048 64049 64050 64051 64052 64054
Other Advisory URL: http://code.google.com/p/get-simple-cms/source/detail?r=133
Vendor URL: http://get-simple.info/
Packet Storm: http://packetstormsecurity.org/1004-advisories/sa39464.txt

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/64053