Contenido CMS Multiple Parameter Cross-Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Contenido CMS and is prone to multiple cross-site scripting vulnerabilities.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to Contenido CMS version 4.9.6 or later. For updates refer http://www.contenido.org/

Insight

Multiple flaws exists as input passed via the 'idart', 'lang', or 'idcat' GET parameters to cms/front_content.php script is not properly sanitised before being returned to the user within the 'checkParams' function.

Affected

Contenido CMS versions 4.9.x through 4.9.5

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://osvdb.org/116293
http://packetstormsecurity.com/files/129713
http://seclists.org/fulldisclosure/2014/Dec/111
http://secunia.com/advisories/61396

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-9433
CVSS Base Score: 2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N

Related Vulnerabilities

phpMyAdmin 'db_create.php' Cross Site Scripting Vulnerability
IBM WebSphere Application Server SIP Logging Information Disclosure Vulnerability
Mantis 'manage_proj_cat_add.php' HTML Injection Vulnerability
MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability
Bitweaver 'edit.php' HTML Injection Vulnerability

Take action and discover your vulnerabilities