Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Contao Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-0508)

Description

Cross-site scripting (XSS) vulnerability in system/modules/comments/Comments.php in Contao CMS 2.9.2, and possibly other versions before 2.9.3, allows remote attackers to inject arbitrary web script or HTML via the HTTP X_FORWARDED_FOR header, which is stored by system/libraries/Environment.php but not properly handled by a comments action to main.php.

Remediation

References

Related Vulnerabilities

Piwigo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2017-9463)

WordPress Plugin Monarch Social Sharing Security Bypass (1.2.6)

WordPress Plugin WP Photo Album Plus Multiple Cross-Site Scripting Vulnerabilities (5.4.4)

WordPress Plugin Backup and Staging by WP Time Capsule PHP Object Injection (1.21.9)

Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2022-27912)

Severity

Medium

Classification

CVE-2011-0508 CWE-707

Tags

Missing Update Known Vulnerabilities