CMS Made Simple 'email' Parameter HTML Injection Vulnerability

http://www.securityfocus.com/bid/52850

Security Info

Bugtraq ID:	52850
Class:	Input Validation Error
CVE:	CVE-2012-1992
Remote:	Yes
Local:	No
Published:	Apr 02 2012 12:00AM
Updated:	Apr 02 2012 12:00AM
Credit:	Ivano Binetti
Vulnerable:	CMS Made Simple CMS Made Simple 1.10.3

Not Vulnerable:

Security Discussion

CMS Made Simple is prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

CMS Made Simple 1.10.3 is vulnerable; other versions may also be affected.

Proof of Concept and Security Exploits

An attacker can exploit the issue using a browser.

Security Solution(s)

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

Security References(s)

References:

CMS Made Simple <= 1.10.3 XSS Vulnerability (Ivano Binetti)
CMS Made Simple Homepage (CMS Made Simple)

Emagined Security Blog featuring Dr. Eugene Schultz

Secure Web Programming
by Vizual Services