PT-2018-10492 · Clippercms · Clippercms
Nathu Nandwani
·
Published
2018-05-24
·
Updated
2018-06-25
·
CVE-2018-11332
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
ClipperCMS version 1.3.3
Description
A stored cross-site scripting (XSS) issue exists due to improper validation of user input in the "Site Name" field, located in the "site" tab under configurations. This allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the "manager/processors/save settings.processor.php" file.
Recommendations
For ClipperCMS version 1.3.3, as a temporary workaround, consider validating and sanitizing all user input for the "Site Name" field to prevent XSS attacks. Restrict access to the "manager/processors/save settings.processor.php" file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Clippercms