Redaxo Content Management System [CMS] version 4.4 suffer from cross-site scripting (XSS) vulnerability:
Input passed via the "subpage" GET parameter to "redaxo/index.php" (when "page" is set to "user" or "template") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of the affected website.
Vulnerability ID: HTB23098
Vulnerability Type: Cross-site scripting (XSS)
Risk level: Medium
Vendor Notification / Patch / Public Disclosure Dates: 4 July / 23 July / 25 July 2012
Solution: Fixed, apply vendor's patch
Full details of this advisory with PoC-code examples and solution to fix available on HTB23098 Security Advisory: Cross-Site Scripting (XSS) in Redaxo.
No comments:
Post a Comment