CVE-2010-1515

Name of the Vulnerable Software and Affected Versions TomatoCMS versions 2.0.6 and earlier

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters in conjunction with certain PATH INFO. The affected parameters include keyword, article-id, fileId, name, email, and address. The vulnerable PATH INFO includes /admin/news/article/list, /admin/multimedia/set/list, /admin/multimedia/file/list, and /admin/ad/client/list.

Recommendations For TomatoCMS versions 2.0.6 and earlier, update to a version later than 2.0.6 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters keyword, article-id, fileId, name, email, and address in the affected API endpoints until a patch is available. Avoid using the parameters keyword, article-id, fileId, name, email, and address in the affected PATH INFO until the issue is resolved.