Baby Gekko CMS Multiple Cross Site Scripting and HTML Injection Vulnerabilities
BID:53366
Info
Baby Gekko CMS Multiple Cross Site Scripting and HTML Injection Vulnerabilities
| Bugtraq ID: | 53366 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-3836 CVE-2012-3837 |
| Remote: | Yes |
| Local: | No |
| Published: | May 02 2012 12:00AM |
| Updated: | Mar 08 2015 04:04PM |
| Credit: | Gjoko Krstic. |
| Vulnerable: |
Baby Gekko Gekko Web Builder 1.1.5c |
| Not Vulnerable: |
Baby Gekko Gekko Web Builder 1.2 |
Discussion
Baby Gekko CMS Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Baby Gekko CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Baby Gekko CMS 1.1.5c is vulnerable; other versions may also be affected.
Baby Gekko CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Baby Gekko CMS 1.1.5c is vulnerable; other versions may also be affected.
Exploit / POC
Baby Gekko CMS Multiple Cross Site Scripting and HTML Injection Vulnerabilities
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
Solution / Fix
Baby Gekko CMS Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Solution:
Vendor updates available. Please see the references for more information.
Solution:
Vendor updates available. Please see the references for more information.
References
Baby Gekko CMS Multiple Cross Site Scripting and HTML Injection Vulnerabilities
References:
References:
- Gekko Web Builder Homepage (Baby Gekko)
- Gekko Web Builder zeroscience advisory (Baby Gekko)