Info

Disclosure

Jun 28, 2010

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Input passed via the "cat" parameter to admin/admin.php and via the URL through various scripts (e.g. admin/admin.php, admin/ads.php, admin/affiliates.php, admin/comments.php) to functions.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Unknown
OSVDB: Web Related

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

Unknown or Incomplete

References

VUPEN Advisory: 2010
Secunia Advisory ID: 39395
Bugtraq ID: 41194
ISS X-Force ID: 59851
Related OSVDB ID: 66194 66195 66196 66197 66198 66199 66201 66202 66203 66204 66205
Other Advisory URL: http://holisticinfosec.org/content/view/142/45/
Vendor URL: http://www.onecms.net

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/66200