HTB23115: Template CMS multiple vulnerabilities

Template CMS version 2.1.1 suffers from XSS and CSRF vulnerabilities.

Template CMS

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Template CMS, which can be exploited to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

• CWE-79: cross-site scripting in Template CMS:
  Input passed via the "themes_editor" POST parameter to "admin/index.php" is not properly sanitised before being returned to the user (CVE-2012-4901).
  CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)

• CWE-352: cross-site request forgery
  Template CMS v.2.1.1 allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests (CVE-2012-4902).
  CVSSv2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Related links:

• High-Tech Bridge Advisory HTB23115 - Multiple vulnerabilities in Template CMS
• Template CMS
• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-352: Cross-Site Request Forgery (CSRF)