vendor:
CMS
by:
Jose Luis Gongora Fernandez (a.k.a) JosS
5.5
CVSS
MEDIUM
XSS Cookie Stealing / Blind
79
CWE
Product Name: CMS
Affected Version From: 2.0-rc3
Affected Version To: 2.0-rc3
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
2009
PHPEcho CMS 2.0-rc3 (forum) XSS Cookie Stealing / Blind Vulnerability
The PHPEcho CMS 2.0-rc3 (forum) allows for the insertion of JavaScript and HTML code, which can lead to XSS attacks. Additionally, there is a vulnerability that allows for the stealing of cookies. The PoC for XSS is the insertion of JavaScript code or HTML code. The PoC for cookie stealing is a script that redirects the user to a specified URL and includes their cookie information. There is also a blind vulnerability that allows for the execution of SQL queries based on a true or false condition. The PoC for this blind vulnerability includes testing the version number of the database.
Mitigation:
To mitigate this vulnerability, it is recommended to sanitize user input and validate any data that is being displayed or stored. Additionally, it is important to keep the CMS up to date with the latest patches and security updates.