Summary
The host is installed with CMS Made Simple and is prone to multiple xss vulnerabilities.
Impact
Successful exploitation will allow remote attackers to execute arbitrary HTML or script code, steal cookie-based authentication credentials and launch other attacks.
Impact Level: Application
Solution
No Solution or patch is available as of 11th March, 2014. Information regarding this issue will updated once the solution details are available.
For updates refer to http://www.cmsmadesimple.org
Insight
Multiple flaws exist due to improper validation of user supplied input to 'editevent.php', 'pagedefaults.php', 'adminlog.php', 'myaccount.php', 'siteprefs.php', 'addbookmark.php', 'index.php', 'editorFrame.php', 'addhtmlblob.php', 'addtemplate.php', 'addcss.php' scripts.
For more information about the vulnerabilities refer the reference links.
Affected
CMS Made Simple version 1.11.10, Other versions may also be affected.
Detection
Send a crafted data via HTTP GET request and check whether it is vulnerable or not.
References
Severity
Classification
-
CVE CVE-2014-0334, CVE-2014-2092 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- AlienForm CGI script
- Admidio get_file.php Remote File Disclosure Vulnerability
- Aardvark Topsites PHP 'index.php' Multiple Cross Site Scripting Vulnerabilities
- Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability
- Ampache Reflected Cross Site Scripting Vulnerability