"If it's a good idea, go ahead and do it. It is much easier to ask forgiveness than it is to get permission. - Rear Admiral Dr. Grace Hopper"

RSS

HIO-2008-1005 CompactCMS 1.1 XSS & CSRF PDF Print E-mail

CompactCMS 1.1 and earlier contains flaws that allows remote cross site scripting and cross-site request forgery.  
Cross-site scripting occurs on POST where the "pagetitle" & "subheader" variables don't properly sanitize input upon submission to the /admin/index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Cross-site request forgery vulnerabilities are caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request.

References:

BID: 32007  

CVE-2008-4909

OSVDB: 49463 & 49464  

SA: 32464

Vendor Solution:Upgrade to version 1.2

 
 
< Prev   Next >
[ Back ]