Vulnerability in version <= 1.20

Brought to you by: hoesterholt

#2 Vulnerability in version <= 1.20

Status: closed-fixed

Owner: nobody

Labels: None

Priority: 5

Updated: 2009-10-13

Created: 2009-01-11

Creator: Anonymous

Private: No

XSS vulnerability on CMME version <= 1.20.
An attacker can inject HTML code inside login page.
1) Go to admin.php
2) In username insert HTML code (ex: <script>alert('I ve injected this');</script> and for password anything you want
3) Press "Login" button and code will be executed

You should not put in output what user wrote.
Please fix in next release.

Regards from italy
R00T_ATI
r00t.ati@gmail.com

Discussion

Hans Oesterholt-Dijkema - 2009-07-04

status: open --> closed-accepted
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Hans Oesterholt-Dijkema - 2009-07-04

Thanks! I'll fix this in version 1.22.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Hans Oesterholt-Dijkema - 2009-10-13

status: closed-accepted --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Vulnerability in version <= 1.20

Group

Searches

Help

#2 Vulnerability in version <= 1.20

Discussion