Plume CMS Multiple HTML Injection Vulnerabilities
BID:52890
Info
Plume CMS Multiple HTML Injection Vulnerabilities
| Bugtraq ID: | 52890 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-2156 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 04 2012 12:00AM |
| Updated: | Apr 04 2012 12:00AM |
| Credit: | Ivano Binetti |
| Vulnerable: |
Plume-Cms Plume Cms 1.2.4 Plume-Cms Plume Cms 1.2.3 Plume-Cms Plume Cms 1.2.2 |
| Not Vulnerable: | |
Discussion
Plume CMS Multiple HTML Injection Vulnerabilities
Plume CMS is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Plume CMS versions 1.2.4 and prior are vulnerable.
Plume CMS is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Plume CMS versions 1.2.4 and prior are vulnerable.
Exploit / POC
Plume CMS Multiple HTML Injection Vulnerabilities
Attackers can use a browser to exploit these issues.
Attackers can use a browser to exploit these issues.
Solution / Fix
Plume CMS Multiple HTML Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].