Lucene search

packetstormHigh-Tech Bridge SAPACKETSTORM:89196
HistoryMay 05, 2010 - 12:00 a.m.

eliteCMS Cross Site Scripting

High-Tech Bridge SA
`Vulnerability ID: HTB22354  
Product: eliteCMS  
Vendor: Elite Graphix  
Vulnerable Version: 1.01 and Probably Prior Versions  
Vendor Notification: 18 April 2010   
Vulnerability Type: XSS (Cross Site Scripting)  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: Medium   
Credit: High-Tech Bridge SA (   
Vulnerability Details:  
User can execute arbitrary JavaScript code within the vulnerable application.   
The vulnerability exists due to failure in the "/admin/edit_page.php" script to properly sanitize user-supplied input in "page" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.  
An attacker can use browser to exploit this vulnerability. The following PoC is available: