CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: CVE-2014-9558
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description

 

Vendor: Smartwebsites

 

Product & Version: SmartCMS v.2

 

Vendor URL & Download:

 

Product Description:
“SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

(2) Vulnerability Details:
SmartCMS v.2 has a security vulnerability. It can be exploited by SQL Injection attacks.

 

(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.

 

(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

References:

 

Advertisements

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerability

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple XSS Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9557
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description
Vendor: Smartwebsites
Product & Version: SmartCMS v.2
Vendor URL & Download:
Product Description: “SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

(2) Vulnerability Details:
SmartCMS v.2 has a security vulnerability. It can be exploited by XSS attacks.
(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.
(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

 

 

References:

 

 

 

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities
Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a 1.0b1 1.0b2
Tested Version: 0.5.2a 1.0b1 1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description
Vendor:
SnipSnap
Product & Version:
SnipSnap
0.5.2a
1.0b1
1.0b2
Vendor URL & Download:
Product Description:
“SnipSnap is a user friendly content management system with features such as wiki and weblog. “

 

(2) Vulnerability Details:
SnipSnap has a security problem. It can be exploited by XSS attacks.
(2.1) The vulnerability occurs at “snipsnap-search?” page with “query” parameter.

 

 


References: