[Vendor Product Description]
Elxis is powerful open source content management system (CMS) released for free under the GNU/GPL license. It has unique multi-lingual features, it follows W3C standards, it is secure, flexible, easy to use, and modern. The development team, Elxis Team, paid extra attention to the optimization of the CMS for the search engines and this lead to high performance of all elxis powered web sites and to high ranking in search engines results.
Persistent/Stored Cross-Site Scripting (XSS) (The cms admin can edit user contact info with XSS codes)
Non-Persistent Cross-Site Scripting (XSS)
[Bug Description and Proof of Concept]
Exploiting the HTML-injection issue allows an attacker to execute HTML and Java Script code in the remote user context to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks may also be possible.
Moreover, Cross Site Scripting (XSS) vulnerabilities are caused due to lack of input validation. This allows malicious people to inject arbitrary HTML and script code. More info at: http://en.wikipedia.org/wiki/Cross-site_scripting
All flaws described here were discovered and researched by:
Ewerson Guimaraes aka Crash DcLabs Security Research Group crash (at) dclabs <dot> com <dot> br
[Patch(s) / Workaround]
[Greetz] DcLabs Security Research Group.
-- Ewerson Guimaraes (Crash) Pentester/Researcher DcLabs Security Team www.dclabs.com.br