| HIO-2010-0325 Webessence CMS Multiple Vulnerabilities |
|
|
|
|
Webessence CMS 1.0 contains multiple flaws that allow cross-site scripting and cross-site request forgery.
1) CSRF: The application allows users to perform certain actions via HTTP requests send to e.g. admin/configure.php without performing any validity checks to verify the request. This can be exploited to e.g. conduct script-insertion attacks and change certain settings by tricking an administrator into visiting a malicious website.
2) XSS: Input passed to the "type" parameter in /admin/media.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
References: CVE-2010-pending FrSIRT: N/A Nessus:N/A SA: 39128 XF: Related: Vendor Solution: Upgrade to 1.0.2 |
| < Prev | Next > |
|---|