CVE-2019-12361

Name of the Vulnerable Software and Affected Versions EmpireCMS version 7.5.0

Description The issue allows for XSS via the from parameter to "e/member/doaction.php". This can be exploited using a CSRF payload to change the dynamic page template. An attacker can resend the "e/template/member/regsend.php" registered activation mail page.

Recommendations For EmpireCMS version 7.5.0, consider restricting access to the "e/member/doaction.php" endpoint to minimize the risk of exploitation. Avoid using the from parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.