CVE-2010-4877
published 2011-10-07CVE-2010-4877: Cross-site scripting (XSS) vulnerability in index.php in OneCMS 2.6.1 allows remote attackers to inject arbitrary web script or HTML via the view parameter.
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.50%
71.1th percentile
Cross-site scripting (XSS) vulnerability in index.php in OneCMS 2.6.1 allows remote attackers to inject arbitrary web script or HTML via the view parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| insanevisions | onecms | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FlatnuX CMS - Cross-Site Request Forgery (Add Admin)
exploitdb·2012-04-01
CVE-2012-4877 FlatnuX CMS - Cross-Site Request Forgery (Add Admin)
FlatnuX CMS - Cross-Site Request Forgery (Add Admin)
---
source: https://www.securityfocus.com/bid/52846/info
Flatnux is prone to multiple security vulnerabilities:
1. An HTML-injection vulnerability
2. A cross-site request-forgery vulnerability
3. A directory-traversal vulnerability
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, obtain sensitive information, or control how the site is rendered to the user. Other attacks are also possible.
The following versions are vulnerable:
Flatnux 2011-08.09.2
Flatnux 2011-2012-01.03.3
Flatnux 2011-minimal-2012-01.03.3
Fncommerce 2010-08-09-no-db
Fncommerce 2010-08-09-no-sample-data
Fncommerce
Exploit-DB
OneCMS 2.6.1 - 'index.php' Cross-Site Scripting
exploitdb·2010-09-02
CVE-2010-4877 OneCMS 2.6.1 - 'index.php' Cross-Site Scripting
OneCMS 2.6.1 - 'index.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/42949/info
OneCMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
OneCMS version 2.6.1 is vulnerable; others may also be affected.
http://www.example.com/index.php?load=elite&view=1%3C/title%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
No writeups or analysis indexed.
2011-10-07
Published