Papoo CMS Multiple HTML Injection Vulnerabilities
TITLE: Papoo CMS Multiple HTML Injection Vulnerabilities
CLASS: Input Validation Error
CVE:
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 15 2007 12:00AM
UPDATE: Jun 16 2007 12:29AM
CREDIT: Nico Leidecker is credited with the discovery of these vulnerabilities.
VULNERABLE:
Papoo Papoo CMS Light 3.6NOT VULNERABLE:
Vai alla pagina originale su Security Focus
Discussion
Papoo CMS is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
These issues affects Papoo 3.6; prior versions may also be affected.
Exploit
Attackers can use a browser to exploit these issues.
Solution
Solution:
The vendor released a patch to address these issues. Please see the references for more information.
References
References:
- Papoo CMS Homepage (Papoo)
- Sicherheitspatch vom 11.06.2007 (Papoo)
- Papoo CMS - Multiple Cross Site Scripting (nicoLeidecker@web.de)