XSS vulnerability on CMME version <= 1.20.
An attacker can inject HTML code inside login page.
1) Go to admin.php
2) In username insert HTML code (ex: <script>alert('I ve injected this');</script> and for password anything you want
3) Press "Login" button and code will be executed
You should not put in output what user wrote.
Please fix in next release.
Regards from italy
Log in to post a comment.