vendor:
Elxis CMS
by:
SecurityFocus
7.5
CVSS
HIGH
Cross-Site Scripting and Session-Fixation
79, 384
CWE
Product Name: Elxis CMS
Affected Version From: 2006.1
Affected Version To: 2006.1
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006
Elxis CMS Multiple Cross-Site Scripting and Session-Fixation Vulnerabilities
Elxis CMS is prone to multiple cross-site scripting and session-fixation vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Using the session-fixation issue, the attacker can hijack the session and gain unauthorized access to the affected application.
Mitigation:
Input validation should be used to ensure that user-supplied data is properly sanitized. Additionally, applications should use a secure random session identifier and regenerate the session identifier after successful authentication.
