|
Description
|
|
Multiple vulnerabilities were identified in Contrexx, which could be exploited by malicious users to conduct SQL injection, cross site scripting and information disclosure attacks.
The first issue is due to an input validation error in the "poll" and "gallery" modules that do not properly filter a specially crafted "pId" or "votingoption" parameter, which may be exploited by remote users to conduct SQL injection attacks.
The second vulnerability is due to an input validation error in the search form that does not properly filter a specially crafted "term" parameter, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser.
The third flaw resides in the blog module that does not properly filter incoming RSS aggregations, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser.
The fourth issue resides in the "config/version.xml" file that contains the installation version of Contrexx.
|
