High-Tech Bridge Security Research Lab discovered vulnerability in Ilch CMS, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users and administrators of vulnerable application.
1) Cross-Site Scripting (XSS) in Ilch CMS: CVE-2014-1944
The vulnerability exists due to insufficient sanitisation of user-supplied data in "text" HTTP POST parameter passed to "/index.php/guestbook/index/newentry" URL. A remote unauthenticated user can send a specially crafted HTTP POST request, which allows to permanently inject and execute arbitrary HTML and script code in user’s browser in context of the vulnerable website when the victim visits the "http://[host]/index.php/guestbook/index/index" URL.
POST /index.php/guestbook/index/newentry HTTP/1.1
ilch_token=5a528778359d4756b9b8803b48fba18b&name=name&email=email%40e mail.com&homepage=http%3A%2F%2Fsite.com&text=<script>alert('immuniwweb');</s cript>&saveEntry=Submit