XSS vulnerability in CMS Source
| Vulnerability ID: | HTB22549 |
| Product: | CMS Source |
| Vendor: | Proud Daddy Web Design ( http://www.prouddaddy.net/ ) |
| Vulnerable Version: | Current at 28.07.2010 and Probably Prior Versions |
| Vendor Notification: | 28 July 2010 |
| Public Disclosure: | 11 August 2010 |
| Vulnerability Type: | XSS (Cross Site Scripting) |
| Status: | Not Fixed, Vendor Alerted, Awaiting Vendor Response |
| Risk level: | Medium |
 | |
| Credit: | High-Tech Bridge SA |
Vulnerability Details: | |
| User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the serach sysem to properly sanitize user-supplied input in "searchstring" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/home/demo1/index.php?target=search&subtarget=top&searchstring=%3Cimg+src=0+onerror=alert%28document.cookie%29%3E | |
Solution: | |
| Currently we are not aware of any vendor-supplied patches or other solutions. If you are aware of more recent information related to this issue please notify us: | |
