Civic Website Manager Multiple Cross-Site Scripting Vulnerabilities

Bugtraq ID:	30833
Class:	Input Validation Error
CVE:	CVE-2008-3849
Remote:	Yes
Local:	No
Published:	Aug 25 2008 12:00AM
Updated:	May 07 2015 05:24PM
Credit:	These issues were reported by the vendor.
Vulnerable:	Civic Website Manager Civic Website Manager 1.0
Not Vulnerable:	Civic Website Manager Civic Website Manager 1.0.1

Civic Website Manager Multiple Cross-Site Scripting Vulnerabilities

Civic Website Manager is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to Civic Website Manager 1.0.1 are vulnerable.

Civic Website Manager Multiple Cross-Site Scripting Vulnerabilities

An attacker can exploit these issues by enticing an unsuspecting victim to follow malicious URIs.

Civic Website Manager Multiple Cross-Site Scripting Vulnerabilities

Solution:
The vendor has released an update. Please see the references for more information.


Civic Website Manager Civic Website Manager 1.0

• Civic Website Manager civc-cms-1.0.1.tar.gz
  http://downloads.sourceforge.net/civic-cms/civc-cms-1.0.1.tar.gz?modti me=1219676406&big_mirror=0&filesize=1167437

Civic Website Manager Multiple Cross-Site Scripting Vulnerabilities

References:

• File Release Notes and Changelog Release Name: 1.0.1 (Civic Website Manager)
  
• Civic Website Manager Project Page (Civic Website Manager)