Reporter Manuel Lopez
`#Title: Vulnerabilities in News Manager Lite 2.5 & News Manager Lite
#Software: News Manager Lite 2.5 & News Manager Lite administration.
#Impact: Disclosure of authentication information, Disclosure of user
information, Execution of arbitrary code via network, Modification of user
and admin information, User access via network.
#Underlying OS: Windows NT, Windows 2000, Windows 2003 or Windows XP
---- News Manager Lite 2.5 ----
The Expinion News Manager Lite, makes it easy for you to keep your site's
news up-to-date. You can manage all your news items from an online
administration, and keep an archive of older news.
This software has Multiple Flaws That Let Remote Users Hijack Admin Account,
Inject SQL Commands, and Conduct Cross-Site Scripting Attacks.
#Cross Site Scripting#
This product is vulnerable to the Cross-Site Scripting vulnerability that
would allow attackers to inject HTML and script codes into the pages and
execute it on the client's browser.
Another problem could lead an attacker to inject SQL code to manipulate and
disclose various information from the database.
---- News Manager Lite administration ----
#Cookie Account Hijack#
This issue can be exploited to gain an administrative account with the
You can login like administrator modifying the cookie in this "way".
Vendor contacted, the vulnerabilities will be addressed very soon.
Manuel López. firstname.lastname@example.org