Contenido CMS Multiple Parameter Cross-Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Contenido CMS and is prone to multiple cross-site scripting vulnerabilities.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to Contenido CMS version 4.9.6 or later. For updates refer http://www.contenido.org/

Insight

Multiple flaws exists as input passed via the 'idart', 'lang', or 'idcat' GET parameters to cms/front_content.php script is not properly sanitised before being returned to the user within the 'checkParams' function.

Affected

Contenido CMS versions 4.9.x through 4.9.5

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://osvdb.org/116293
http://packetstormsecurity.com/files/129713
http://seclists.org/fulldisclosure/2014/Dec/111
http://secunia.com/advisories/61396

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-9433

CVSS	Base Score: 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Joostina 'index.php' Cross Site Scripting Vulnerability
PunBB detection
Interchange HTTP Response Splitting Vulnerability
Sambar /cgi-bin/mailit.pl installed ?
MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities