Nucleus CMS Unspecified HTML Injection Vulnerability

Bugtraq ID:	21104
Class:	Input Validation Error
CVE:	2006-4206
Remote:	Yes
Local:	No
Published:	Nov 15 2006 12:00AM
Updated:	Jul 05 2007 09:57PM
Credit:	JVN is credited with the discovery of this vulnerability.
Vulnerable:	Nucleus CMS Nucleus CMS 3.22 Nucleus CMS Nucleus CMS 3.21 Nucleus CMS Nucleus CMS 3.2 Nucleus CMS Nucleus CMS 3.1 Nucleus CMS Nucleus CMS 3.0 RC Nucleus CMS Nucleus CMS 3.0 1 Nucleus CMS Nucleus CMS 3.0 Nucleus CMS Nucleus CMS 3.23 Nucleus CMS Nucleus CMS 3.23
Not Vulnerable:	Nucleus CMS Nucleus CMS 3.24

Nucleus CMS Unspecified HTML Injection Vulnerability

Nucleus CMS is prone to a HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.

Nucleus CMS versions prior to 3.24 are vulnerable.

NOTE: An attacker must have valid member privileges to exploit this issue.

Nucleus CMS Unspecified HTML Injection Vulnerability

An attacker can exploit this issue through a web-client.

Nucleus CMS Unspecified HTML Injection Vulnerability

Solution:
The vendor has released version 3.24 to address this issue. Please see the referenced Release Page for information on how to obtain and apply the fix.

Nucleus CMS Unspecified HTML Injection Vulnerability

References:

• 3.24 Release Anouncement (Nucleus CMS)
  
• Nucleus CMS Homepage (Nucleus)