CVE-2012-0699
published 2018-01-11CVE-2012-0699: Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the…
PriorityP351high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
3.57%
87.9th percentile
Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an add action to prayers.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haudenschilt | family_connections_cms | <= 2.9.0 | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rqvf-64h2-w7v3: Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2
ghsa_unreviewed·2022-05-14
CVE-2012-0699 [HIGH] CWE-352 GHSA-rqvf-64h2-w7v3: Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2
Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an add action to prayers.php.
Red Hat
openssl: record length handling integer underflow
vendor_redhat·2012-05-10·CVSS 6.8
CVE-2012-2333 [MEDIUM] CWE-190 openssl: record length handling integer underflow
openssl: record length handling integer underflow
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3 and 4. The openssl versions in Red Hat Enterprise Linux 5 and 6 were partially affected, as they support DTLS, but they do not support TLS 1.1 and TLS 1.2. This issue was addressed in Red Hat Enterprise Linux 5 and 6 via RHSA-2012:0699.
Package: openssl (Red Hat Enterprise Linux 4)
No detection rules found.
Exploit-DB
Family CMS 2.9 - Multiple Vulnerabilities
exploitdb·2012-03-26
CVE-2012-0699 Family CMS 2.9 - Multiple Vulnerabilities
Family CMS 2.9 - Multiple Vulnerabilities
---
Family CMS 2.9 and earlier multiple Vulnerabilities
# Exploit Title: Family CMS 2.9 and earlier multiple Vulnerabilities
# Download link :http://sourceforge.net/projects/fam-connections/files/Family%20Connections/2.9/FCMS_2.9.zip/download
# Author: Ahmed Elhady Mohamed
# Email : [email protected]
# version: 2.9
# Category: webapps
# Tested on: ubuntu 11.4
Tips:
*****First we must install all optional sections during installation process.*****
1- CSRF Vulnerabilities :
POC 1: Page "familynews.php"
function autosubmit() {
document.getElementById('ChangeSubmit').submit();
}
POC 2:Page "prayers.php"
function autosubmit() {
document.getElementById('ChangeSubmit').submit();
}
2-Reflected XSS
POC
Exploit-DB
Family CMS 2.7.2 - Multiple Persistent Cross-Site Scripting Vulnerabilities
exploitdb·2011-12-10
CVE-2012-0699 Family CMS 2.7.2 - Multiple Persistent Cross-Site Scripting Vulnerabilities
Family CMS 2.7.2 - Multiple Persistent Cross-Site Scripting Vulnerabilities
---
FCMS_2.7.2 cms and earlier multiple stored XSS Vulnerability
# Exploit Title: FCMS_2.7.2 cms multiple stored XSS Vulnerability
Download link :http://sourceforge.net/projects/fam-connections/files/Family%20Connections/2.7.2/FCMS_2.7.2.zip/download
# Author: Ahmed Elhady Mohamed
# Category:: webapps
# Tested on: windows XP Sp2 En
#First we must install all optional sections during installation process.
#############################################Stored XSS################################################################
page : messageboard.php?thread=1
decription: if you ADD javascript code in " reply " field , the code will execute in " profile.php?member=1 " page.
page : familynews.php?addnews=ye
No writeups or analysis indexed.
2018-01-11
Published