The software version 1.7.3 of pixelpost is vulnerable to stored XSS and CSRF attacks. The 'Image Title' and 'tags' parameters in the admin login page are vulnerable to stored XSS. An attacker can inject malicious code, such as <script>alert('sweet')</script>, to execute arbitrary JavaScript code. Additionally, the admin password change functionality is vulnerable to CSRF. An attacker can change the admin password by sending a crafted request to the 'options' endpoint.
A persistent XSS vulnerability was discovered in the Users module that is distributed with the core distribution of the CMS. The issue potentially allows elevation of privileges by tricking an administrator to execute some custom crafted script on his behalf. The issue affects the Username field, since a user is allowed to register a username containing potentially dangerous characters.
4images is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Pixelpost is vulnerable to an SQL Injection attack when input is passed to several POST parameters (findfid, id, selectfcat, selectfmon, selectftag). The script (admin/index.php) fails to properly sanitize the input before being returned to the user allowing the attacker to compromise the entire DB system and view sensitive information.
Services By CQR