Summary
The host is installed with CMS Made Simple and is prone to multiple xss vulnerabilities.
Impact
Successful exploitation will allow remote attackers to execute arbitrary HTML or script code, steal cookie-based authentication credentials and launch other attacks.
Impact Level: Application
Solution
No Solution or patch is available as of 11th March, 2014. Information regarding this issue will updated once the solution details are available.
For updates refer to http://www.cmsmadesimple.org
Insight
Multiple flaws exist due to improper validation of user supplied input to 'editevent.php', 'pagedefaults.php', 'adminlog.php', 'myaccount.php', 'siteprefs.php', 'addbookmark.php', 'index.php', 'editorFrame.php', 'addhtmlblob.php', 'addtemplate.php', 'addcss.php' scripts.
For more information about the vulnerabilities refer the reference links.
Affected
CMS Made Simple version 1.11.10, Other versions may also be affected.
Detection
Send a crafted data via HTTP GET request and check whether it is vulnerable or not.
References
Severity
Classification
-
CVE CVE-2014-0334, CVE-2014-2092 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache mod_proxy_ajp Information Disclosure Vulnerability
- Apache Open For Business HTML injection vulnerability
- Apache Web Server ETag Header Information Disclosure Weakness
- Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
- Apache ActiveMQ Persistent Cross-Site Scripting Vulnerability