Cross site scripting

2010-05-2017:30:00

PRIOn knowledge base

www.prio-n.com

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.9%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS before 2.0.5 allow remote authenticated users, with certain creation privileges, to inject arbitrary web script or HTML via the (1) content parameter in conjunction with a /admin/poll/add PATH_INFO, the (2) meta parameter in conjunction with a /admin/category/add PATH_INFO, and the (3) keyword parameter in conjunction with a /admin/tag/add PATH_INFO.

CPENameOperatorVersion
tomatocmseq2.0.1
tomatocmseq2.0.0
tomatocmseq2.0.3.1430
tomatocmseq2.0.3
tomatocmseq2.0.2
tomatocmsle2.0.4
tomatocmseq2.0.3.1622

Name	Operator	Version
tomatocms	eq	2.0.1
tomatocms	eq	2.0.0
tomatocms	eq	2.0.3.1430
tomatocms	eq	2.0.3
tomatocms	eq	2.0.2
tomatocms	le	2.0.4
tomatocms	eq	2.0.3.1622

References

holisticinfosec.org/content/view/141/45/

osvdb.org/64552

osvdb.org/64553

osvdb.org/64554

secunia.com/advisories/39320

www.securityfocus.com/bid/40108

exchange.xforce.ibmcloud.com/vulnerabilities/58475

exchange.xforce.ibmcloud.com/vulnerabilities/58491

exchange.xforce.ibmcloud.com/vulnerabilities/58492