The Contenido 4.8 content management system exhibits a cross-site scripting vulnerability in the Conetido Backend admin logon script. Given the dependency on a unique contenido variable this bug is difficult to exploit. Input passed on POST to the username. password, and formtimestamp variables is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

The vulnerability is confirmed in version 4.8.10 and earlier. Download 4.8.11 to mitigate the issue.

References:

CVE-2008-pending

BID: pending

FrSIRT: N/A

Nessus:N/A

OSVDB: pending

SA: pending

XF: pending

Vendor Solution: None available