KrisonAV CMS version 3.0.1 suffers from cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities.
- Cross-site scripting (XSS): exists due to insufficient filtration of user-supplied data passed to "content" HTTP GET parameter via "services/get_article.php" script. A remote attacker can trick a user to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of the vulnerable website.
- Сross-site request forgery (CSRF): exists due to insufficient verification of the HTTP request origin in "users_maint.html" script.
Solution: Both security weaknesses are now fixed, upgrade to KrisonAV CMS version 3.0.2.
Source: High-Tech Bridge Advisory HTB23150 - Multiple Vulnerabilities in KrisonAV CMS
No comments:
Post a Comment