Cross site scripting

2010-05-2017:30:00

PRIOn knowledge base

www.prio-n.com

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.7%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS before 2.0.5 allow remote authenticated users, with “Add new article” privileges, to inject arbitrary web script or HTML via the (1) title, (2) subTitle, and (3) author parameters in conjunction with a /admin/news/article/add PATH_INFO.

CPENameOperatorVersion
tomatocmseq2.0.1
tomatocmseq2.0.0
tomatocmseq2.0.3.1430
tomatocmseq2.0.3
tomatocmseq2.0.2
tomatocmsle2.0.4
tomatocmseq2.0.3.1622

Name	Operator	Version
tomatocms	eq	2.0.1
tomatocms	eq	2.0.0
tomatocms	eq	2.0.3.1430
tomatocms	eq	2.0.3
tomatocms	eq	2.0.2
tomatocms	le	2.0.4
tomatocms	eq	2.0.3.1622

References

holisticinfosec.org/content/view/141/45/

osvdb.org/64550

secunia.com/advisories/39320

secunia.com/secunia_research/2010-59/

www.securityfocus.com/archive/1/511272/100/0/threaded

www.securityfocus.com/bid/40108

exchange.xforce.ibmcloud.com/vulnerabilities/58471