Pligg CMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities

Bugtraq ID:	53625
Class:	Input Validation Error
CVE:	CVE-2012-2936 CVE-2012-2937
Remote:	Yes
Local:	No
Published:	May 21 2012 12:00AM
Updated:	Mar 19 2015 07:35AM
Credit:	Kasper Lindgaard, Secunia, High-Tech Bridge SA
Vulnerable:	Pligg Pligg CMS 1.2.1
Not Vulnerable:	Pligg Pligg CMS 1.2.2

Pligg CMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities

Pligg CMS is prone to multiple SQL-injection and cross-site-scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Pligg CMS 1.2.1 is vulnerable; other versions may also be affected.

Pligg CMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit these issues. To exploit the cross-site scripting issues, an attacker must entice an unsuspecting user into following a malicious URI.

Pligg CMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references for more details.

Pligg CMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities

References:

• Pligg CMS Four SQL Injection Vulnerabilities (secunia)
  
• Pligg CMS Six Cross-Site Scripting Vulnerabilities (secunia)
  
• Pligg CMS Version 1.2.2 (Pligg)
  
• Vendor Homepage (Pligg)