CVE-2013-3535 : Multiple cross-site scripting (XSS) vulnerabilities in CMSLogik 1.2.0 and 1.2.1

Multiple cross-site scripting (XSS) vulnerabilities in CMSLogik 1.2.0 and 1.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_email, (2) header_title, (3) site_title parameter to admin/settings; (4) recaptcha_private or (5) recaptcha_public parameter to admin/captcha_settings; (6) fb_appid, (7) fp_secret, (8) tw_consumer_key, or (9) tw_consumer_secret parameter to admin/social_settings; (10) slug parameter to admin/gallery/save_item_settings; or (11) item_link parameter to admin/edit_menu_item_ajax. NOTE: this issue might be resultant from CSRF.

Published 2013-05-13 23:55:02

Updated 2017-08-29 01:33:25

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)

Products affected by CVE-2013-3535

Themelogik » Cmslogik » Version: 1.2.0
cpe:2.3:a:themelogik:cmslogik:1.2.0:*:*:*:*:*:*:*
Matching versions
Themelogik » Cmslogik » Version: 1.2.1
cpe:2.3:a:themelogik:cmslogik:1.2.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-3535

EPSS FAQ

1.81%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 88 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-3535

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2013-3535

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-3535

http://cxsecurity.com/issue/WLB-2013040105

CMSLogik 1.2.1 Multiple Persistent XSS Vulnerabilities - CXSecurity.com
http://www.exploit-db.com/exploits/24959

CMSLogik 1.2.1 - Multiple Vulnerabilities - PHP webapps Exploit
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5136.php

Zero Science Lab » CMSLogik 1.2.1 Multiple Persistent XSS Vulnerabilities
Exploit
http://packetstormsecurity.com/files/121303/CMSLogik-1.2.1-Cross-Site-Scripting.html

CMSLogik 1.2.1 Cross Site Scripting ≈ Packet Storm
https://exchange.xforce.ibmcloud.com/vulnerabilities/83429

CMSLogik multiple cross-site scripting CVE-2013-3535 Vulnerability Report

Jump to

Vulnerability Details : CVE-2013-3535

Products affected by CVE-2013-3535

Exploit prediction scoring system (EPSS) score for CVE-2013-3535

CVSS scores for CVE-2013-3535

CWE ids for CVE-2013-3535

References for CVE-2013-3535