CVE-2015-1422

Name of the Vulnerable Software and Affected Versions Gecko CMS versions 2.2 through 2.3

Description The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters in admin/index.php and js/editor/plugins/filemanager/dialog.php. The vulnerable parameters include horder[], jak catid, jak content, jak css, jak delete log[], jak email, jak extfile, jak file, jak hookshow[], jak img, jak javascript, jak lcontent, jak name, jak password, jak showcontact, jak tags, jak title, jak url, jak username, real hook id[], sp, sreal plugin id[], ssp, and sssp in admin/index.php, as well as editor, field id, fldr, lang, popup, subfolder, and type in js/editor/plugins/filemanager/dialog.php.

Recommendations For Gecko CMS versions 2.2 through 2.3, consider disabling access to the admin/index.php and js/editor/plugins/filemanager/dialog.php files until a patch is available. Restrict input for the vulnerable parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.