CVE-2012-2629

Name of the Vulnerable Software and Affected Versions Axous versions 1.1.1 and earlier

Description Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) issues allow remote attackers to hijack the authentication of administrators for requests. This can be done via various parameters to different PHP files, including page title to "admin/content pages edit.php", category name[] to "admin/products category.php", and multiple parameters to "admin/settings siteinfo.php", "admin/settings company.php", and "admin/settings email.php".

Recommendations For Axous versions 1.1.1 and earlier, consider disabling access to the vulnerable PHP files, such as "admin/administrators add.php", "admin/content pages edit.php", "admin/products category.php", "admin/settings siteinfo.php", "admin/settings company.php", and "admin/settings email.php", until a patch is available. Restrict the use of vulnerable parameters, including page title, category name[], site name, seo title, meta keywords, company name, address1, address2, city, state, country, author first name, author last name, author email, contact first name, contact last name, contact email, general email, general phone, general fax, sales email, sales phone, support email, support phone, system email, sender name, smtp server, smtp username, smtp password, and order notice email, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.