ID CVE-2010-2014 Type cve Reporter NVD Modified 2010-05-24T00:00:00
Description
Cross-site scripting (XSS) vulnerability in cp/list_content.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the cl or possibly id parameter.
{"viewCount": 0, "lastseen": "2016-09-03T13:56:58", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "type": "cve", "description": "Cross-site scripting (XSS) vulnerability in cp/list_content.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the cl or possibly id parameter.", "assessment": {"name": "", "system": "", "href": ""}, "reporter": "NVD", "published": "2010-05-24T13:30:01", "history": [], "title": "CVE-2010-2014", "cpe": ["cpe:/a:createch-group:lisk_cms:4.4:-:extranet%2fintranet", "cpe:/a:createch-group:lisk_cms:4.4:-:custom", "cpe:/a:createch-group:lisk_cms:4.4:-:portal%2fcommunity", "cpe:/a:createch-group:lisk_cms:4.4:-:e-commerce", "cpe:/a:createch-group:lisk_cms:4.4", "cpe:/a:createch-group:lisk_cms:4.4:-:corporate"], "bulletinFamily": "NVD", "edition": 1, "scanner": [], "id": "CVE-2010-2014", "cvelist": ["CVE-2010-2014"], "hash": "3349b24c8add5ca93e9f7c8df48f1f164f3ceb0d4caca679d33ebc253e1f9066", "modified": "2010-05-24T00:00:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2014", "objectVersion": "1.2", "references": ["http://www.htbridge.ch/advisory/xss_vulnerability_in_lisk_cms.html"], "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2016-09-03T13:56:58"}, "vulnersScore": 4.3}}
{"htbridge": [{"lastseen": "2017-06-23T23:08:34", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LiSK CMS which could be exploited to perform cross-site scripting attacks and execute arbitrary SQL commands in application`s database. \n \n1) Cross-site scripting (XSS) vulnerability in LiSK CMS: CVE-2010-2013 \nThe vulnerability exists due to input sanitation error in the \"id\" parameter in edit_email.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. \nExploitation example: \nhttp://host/path_to_cp/edit_email.php?&id=contact_form_214%27+--+%3Cimg+src= x+onerror=alert%28document.cookie%29%3E \n \n2) Cross-site scripting (XSS) vulnerability in LiSK CMS: CVE-2010-2014 \nThe vulnerability exists due to input sanitation error in the \"cl\" parameter in list_content.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. \nExploitation example: \nhttp://host/path_to_cp/list_content.php?cl=2%27%22%3E%3Cimg+src=x+onerror=al ert%28document.cookie%29%3E \n \n3) SQL injection vulnerabilities in LiSK CMS: CVE-2010-2015 \n3.1 The vulnerability exists due to input sanitation error in the \"id\" parameter in cp_messages.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database. To exploit this vulnerability user must have \"CP Messages\" privileges. \nExploitation example: \nhttp://host/path_to_cp/cp_messages.php?action=view_inbox&id=-1+union+select+ 1,2,3,4,5,6,7,8,9+--+ \n3.2 The vulnerability exists due to input sanitation error in the \"id\" parameter in edit_email.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database. To exploit this vulnerability user must have \"CP Messages\" privileges. \nExploitation example: \nhttp://host/path_to_cp/edit_email.php?&id=X%27+union+select+1,2,3,4,5,6+--+\n", "reporter": "High-Tech Bridge", "published": "2010-05-06T00:00:00", "type": "htbridge", "title": "Multiple Vulnerabilities in LiSK CMS", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "LiSK CMS", "version": "4.4", "operator": "le"}], "cvelist": ["CVE-2010-2013", "CVE-2010-2015", "CVE-2010-2014"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2010-05-06T00:00:00", "id": "HTB22371", "href": "https://www.htbridge.com/advisory/HTB22371", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P/"}}]}
