CMS Made Simple 'email' Parameter HTML Injection Vulnerability

Bugtraq ID:	52850
Class:	Input Validation Error
CVE:	CVE-2012-1992
Remote:	Yes
Local:	No
Published:	Apr 02 2012 12:00AM
Updated:	Apr 02 2012 12:00AM
Credit:	Ivano Binetti
Vulnerable:	CMS Made Simple CMS Made Simple 1.10.3
Not Vulnerable:

CMS Made Simple 'email' Parameter HTML Injection Vulnerability

CMS Made Simple is prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

CMS Made Simple 1.10.3 is vulnerable; other versions may also be affected.

CMS Made Simple 'email' Parameter HTML Injection Vulnerability

An attacker can exploit the issue using a browser.

CMS Made Simple 'email' Parameter HTML Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

CMS Made Simple 'email' Parameter HTML Injection Vulnerability

References:

• CMS Made Simple <= 1.10.3 XSS Vulnerability (Ivano Binetti)
  
• CMS Made Simple Homepage (CMS Made Simple)