Kajona CMS Multiple Cross-Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Kajona CMS and is prone to multiple cross-site scripting vulnerabilities.

Impact

Successful exploitation will allow remote attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Impact Level: Application

Solution

Upgrade to Kajona CMS version 4.5 or later. For updates refer to http://www.kajona.de

Insight

Multiple flaws exist as, - the search_ajax.tpl and search_ajax_small.tpl scripts in the Search module does not validate input passed via the 'search' parameter. - the system/class_link.php script does not validate input passed via the 'systemid' parameter.

Affected

Kajona CMS version 4.4 and prior.

Detection

Send a crafted HTTP GET request and check whether it is able to read cookie or not.

References

http://www.osvdb.com/108635
http://www.osvdb.com/108887
http://xforce.iss.net/xforce/xfdb/94434
http://xforce.iss.net/xforce/xfdb/94938
https://www.netsparker.com/critical-xss-vulnerability-in-kajonacms

Updated on 2017-03-28

Severity

Classification

CVE CVE-2014-4742, CVE-2014-4743

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
Allaire JRun directory browsing vulnerability
Adobe ColdFusion HTTP Response Splitting Vulnerability
1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
Adobe ColdFusion Unspecified Information Disclosure Vulnerability

Take action and discover your vulnerabilities