|
Description
|
|
Gjoko Krstic has discovered multiple vulnerabilities in ImpressPages CMS, which can be exploited by malicious users to manipulate certain data, conduct SQL injection attacks, and compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks.
1) Input passed via the "pageId" parameter to index.php (when "g" is set to "standard", "m" is set to "content_management", "a" is set to "getPageOptionsHtml", and "zoneName" is set to a valid value) is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the "Content management" permission.
2) Input passed via the "language" parameter when exporting language files is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires the "Localization" permission.
3) Input passed via the "instanceId" POST parameter to index.php (when "g" is set to "standard", "m" is set to "content_management", and "a" is set to "deleteWidget") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
4) Input passed via the "files[][file]" POST parameter to index.php (when "g" is set to "administrator", "m" is set to "repository", and "a" is set to "deleteFiles") is not properly verified before being used to delete files. This can be exploited to delete arbitrary files via directory traversal sequences.
5) The "Manager::manage()" method in /ip_cms/modules/developer/config_exp_imp/manager.php does not properly check uploaded configuration files before being used in a call to the "require()" function. This can be exploited to upload and execute arbitrary PHP code.
Successful exploitation of this vulnerability requires the "Modules exp/imp" permission.
The vulnerabilities are confirmed in version 3.6. Prior versions may also be affected.
|
