Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Jun 2011 16:24:28 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE Request: Mambo CMS 4.6.x | Multiple Cross
 Site Scripting Vulnerabilities

Please use CVE-2011-2499

Thanks.

-- 
    JB


----- Original Message -----
> 1. OVERVIEW
> 
> Mambo CMS 4.6.5 and lower versions are vulnerable to Cross Site
> Scripting.
> 
> 
> 2. BACKGROUND
> 
> Mambo is a full-featured, award-winning content management system that
> can be used for everything from simple websites to complex corporate
> applications. It is used all over the world to power government
> portals, corporate intranets and extranets, ecommerce sites, nonprofit
> outreach, schools, church, and community sites. Mambo's "power in
> simplicity" also makes it the CMS of choice for many small businesses
> and personal sites.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> Multiple parameters are not properly sanitized, which allows attacker
> to conduct Cross Site Scripting attack.
> This may allow an attacker to create a specially crafted URL that
> would execute arbitrary script code in a victim's browser.
> If a user has already logged in to the application, an XSS attack will
> execute promptly.
> If not, it will execute after the user's successful logging in.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Tested on Mambo CMS 4.6.5 (current as of 2011-06-27)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.