Cross-site Scripting Vulnerability in Acuity CMS

2010-04-19T00:00:00
ID HTB22352
Type htbridge
Reporter High-Tech Bridge
Modified 2010-04-19T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered a vulnerability in Acuity CMS which could be exploited to perform cross-site scripting (XSS) attacks.

1) Cross-site scripting vulnerability in Acuity CMS
Input sanitation error was found in the "page" parameter in /admin/pages/add_page.asp. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in administrator`s browser in context of the vulnerable website.

Exploitation example:

http://host/admin/pages/add_page.asp?page=58%22%3E%3Cscript%3Ealert%28docume nt.cookie%29%3C/script%3E