Anchor CMS 'real_name' Parameter HTML Injection Vulnerability

Bugtraq ID:	52207
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 29 2012 12:00AM
Updated:	Feb 29 2012 12:00AM
Credit:	Vulnerability Research Laboratory
Vulnerable:	Anchor CMS 2012 Anchor CMS 0.6-0.4
Not Vulnerable:

Anchor CMS 'real_name' Parameter HTML Injection Vulnerability

Anchor CMS is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

Anchor CMS 0.6-0.4 is vulnerable; other versions may also be affected.

Anchor CMS 'real_name' Parameter HTML Injection Vulnerability

Attackers can use a browser to exploit this issue.

Anchor CMS 'real_name' Parameter HTML Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Anchor CMS 'real_name' Parameter HTML Injection Vulnerability

References:

• Anchor CMS Homepage (Anchor CMS 2012)
  
• Anchor v0.6-0.4 CMS - Persistent Web Vulnerability (Vulnerability Research Laboratory)