CVE-2013-3535

Name of the Vulnerable Software and Affected Versions CMSLogik versions 1.2.0 through 1.2.1

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters, including admin email, header title, site title, recaptcha private, recaptcha public, fb appid, fp secret, tw consumer key, tw consumer secret, slug, and item link, which are accessible via specific API endpoints such as "admin/settings", "admin/captcha settings", "admin/social settings", "admin/gallery/save item settings", and "admin/edit menu item ajax".

Recommendations For CMSLogik versions 1.2.0 and 1.2.1, consider disabling the parameters admin email, header title, site title, recaptcha private, recaptcha public, fb appid, fp secret, tw consumer key, tw consumer secret, slug, and item link in their respective API endpoints until a patch is available. Restrict access to the "admin/settings", "admin/captcha settings", "admin/social settings", "admin/gallery/save item settings", and "admin/edit menu item ajax" endpoints to minimize the risk of exploitation.