BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

QuickCMS Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) Vulnerabilities

Disclosed April 9, 2014    Zeroday : 111 days

Vulnerability Description:

QuickCMS contains two vulnerabilities that allow an attacker to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. This allows a remote attacker to arbitrarily execute HTML and scripts within the context of the user's browser session (XSS), and perform various actions via HTTP requests (CSRF).

Vendors:

Open Solution

Vulnerable Software/Devices:

QuickCMS 5.4 and possibly other versions

Vulnerability Severity:

Medium

Exploit Availability:

Publicly Available

Exploit Impact:

Cross-Site Scripting
Input sent via URL to admin.php is not properly sanitized, allowing for attacker-controlled HTML or script returned to the user to execute within the context of the browser. 

Cross-Site Request Forgery
Attackers may send crafted HTTP requests to QuickCMS, which then fails to validate the requests. These requests may allow an attacker to change administrator credentials, when an already logged-on user visits a specially crafted web page designed to attack this vulnerability. 

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 33668 - QuickCms 5.4 and Prior Multiple Vulnerabilities (Zero-Day)

Mitigation:

No mitigations are currently available.

Links:

CVE(s):

None