OSVDB ID: 82438

Title: concrete5 index.php/tools/required/sitemap_search_selector Multiple Parameter XSS

Info

Disclosure

May 19, 2012

Discovery

Unknown

Dates

Exploit

May 19, 2012

Solution

Unknown

Description

concrete5 contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'ocID' and 'select_mode' parameters upon submission to the index.php/tools/required/sitemap_search_selector script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

Concrete CMS Inc.

concrete5

5.5.21

References

Bugtraq ID: 53640
Related OSVDB ID: 82417 82418 82419 82420 82422 82424 82425 82426 82427 82432 82439 82441 82548 82549
Packet Storm: http://packetstormsecurity.org/files/112885/Concrete-5.5.21-XSS-CSRF-Path-Disclosure.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/82438