appRain CMF Cross Site Scripting and SQL Injection Vulnerabilities

Bugtraq ID:	51105
Class:	Input Validation Error
CVE:	CVE-2011-5228 CVE-2011-5229
Remote:	Yes
Local:	No
Published:	Dec 19 2011 12:00AM
Updated:	Oct 29 2012 10:30AM
Credit:	Pim Campers
Vulnerable:	appRain appRain CMF 0.1.5
Not Vulnerable:

appRain CMF Cross Site Scripting and SQL Injection Vulnerabilities

appRain CMF is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

appRain CMF 0.1.5 is vulnerable; other versions may also be affected.

appRain CMF Cross Site Scripting and SQL Injection Vulnerabilities

An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.

The following example URIs are available:

• /data/vulnerabilities/exploits/51105.txt

appRain CMF Cross Site Scripting and SQL Injection Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

appRain CMF Cross Site Scripting and SQL Injection Vulnerabilities

References:

• appRain Homepage (appRain)
  
• appRain CMF v0.1.5 - Multiple Web Vulnerabilities (Vulnerability Research Laboratory - Pim Campers)