[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Acuity CMS 2.6.x <= Cross Site Scripting
- To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, secalert@xxxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, vuln <vuln@xxxxxxxxxxx>, vuln@xxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, moderators@xxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, submit@xxxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx
- Subject: Acuity CMS 2.6.x <= Cross Site Scripting
- From: YGN Ethical Hacker Group <lists@xxxxxxxx>
- Date: Wed, 18 Apr 2012 00:32:39 +0800
- List-help: <mailto:email@example.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:firstname.lastname@example.org>
- List-subscribe: <mailto:email@example.com>
- List-unsubscribe: <mailto:firstname.lastname@example.org>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Cross Site Scripting.
Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.
3. VULNERABILITY DESCRIPTION
"UserName" parameter is not properly sanitized upon submission to the
URL, /admin/login.asp , which allows attacker to conduct Cross Site
Scripting attack. This may allow an attacker to create a specially
crafted URL that would execute arbitrary script code in a victim's
4. VERSIONS AFFECTED
Tested in version 2.6.2.
The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-04-17: vulnerability disclosed
Original Advisory URL: