|
Description
|
|
Multiple vulnerabilities have been discovered in Croogo CMS, which can be exploited by malicious users to conduct script insertion attacks.
1) Input passed via the "data[Menu][title]" and "data[Menu][alias]" parameters to admin/menus/add is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation of this vulnerability requires the "admin_add" permissions under "Menus".
2) Input passed via the "data[Node][title]" parameter to admin/nodes/add/blog, admin/nodes/add/nodes, and admin/nodes/add/page is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation of this vulnerability requires the "admin_add" permissions under "Nodes".
The vulnerabilities are confirmed in version 1.3.5. Other versions may also be affected.
|
