| HIO-2009-0618 Concrete5 Multiple Vulnerabilities |
|
|
|
|
concrete5 contains multiple flaws that allow cross site request forgery and cross site scripting. 1) XSS: Input passed via the "uID" parameter to index.php/dashboard/users/search, the "uVal" parameter to index.php/dashboard/users/search (if "task" is set to "simple_search"), the "gKeywords" parameter to index.php/dashboard/users/groups, and via the "search_paths[]" parameter to a search block is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) CSRF: The application allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. deactivate arbitrary users if a logged-in administrative user visits a specially crafted web site. References: CVE-2009-pending BID: FrSIRT: N/A Nessus:N/A OSVDB: 56346, 56347, 56348. 56349 SA: 35613 Related: Vendor Solution:Update to 5.3.2 |
| < Prev | Next > |
|---|