CVE-2015-1058

Name of the Vulnerable Software and Affected Versions AdaptCMS version 3.0.3

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters and endpoints, including the "data[Category][title]" parameter to "admin/categories/add", the "data[Field][title]" parameter to "admin/fields/ajax fields/", the "name" property in a "basicInfo" JSON object to "admin/tools/create theme", the "data[Link][link title]" parameter to "admin/links/links/add", or the "data[ForumTopic][subject]" parameter to "forums/off-topic/new".

Recommendations For AdaptCMS version 3.0.3, consider disabling access to the vulnerable endpoints, such as "admin/categories/add", "admin/fields/ajax fields/", "admin/tools/create theme", "admin/links/links/add", and "forums/off-topic/new", until a patch is available. Additionally, restrict the use of the vulnerable parameters, including data[Category][title], data[Field][title], the name property in the basicInfo JSON object, data[Link][link title], and data[ForumTopic][subject], to minimize the risk of exploitation.