Multiple Vulnerabilities in HTML-EDIT CMS
Advisory ID: | HTB22734 |
Product: | HTML-EDIT CMS |
Vendor: | html-edit web services |
Vulnerable Versions: | 3.1.8 and probably prior |
Tested Version: | 3.1.8 |
Advisory Publication: | December 2, 2010 [without technical details] |
Vendor Notification: | December 2, 2010 |
Public Disclosure: | December 16, 2010 |
Latest Update: | December 9, 2010 |
Vulnerability Type: | SQL Injection [CWE-89] Cross-Site Scripting [CWE-79] Information Exposure Through Externally-generated Error Message [CWE-211] |
CVE References: | CVE-2010-4609 CVE-2010-4610 CVE-2010-4611 |
Risk Level: | High |
CVSSv2 Base Scores: | 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
Solution Status: | Fixed by Vendor |
Discovered and Provided: | High-Tech Bridge Security Research Lab |
Advisory Details: | |
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in HTML-EDIT CMS which could be exploited to perform cross-site scripting and SQL injection attacks. | |
Solution: | |
Upgrade to the most recent version | |
References: | |
[1] High-Tech Bridge Advisory HTB22734 - https://www.immuniweb.com/advisory/HTB22734 - Multiple Vulnerabilities in HTML-EDIT CMS [2] HTML-EDIT CMS - html-edit.org - HTML-EDIT CMS is a free, easy, secure and open source content management system. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. | |
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.