CVE-2012-1979

Cross-site scripting (XSS) vulnerability in starnet/index.php in SyndeoCMS 3.0.01 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the email parameter (aka Email address field) in an edit_user configuration action.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://osvdb.org/80746
http://packetstormsecurity.org/files/111405/SyndeoCMS-3.0.01-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18686/	Exploit
http://www.securityfocus.com/bid/52840
http://www.webapp-security.com/wp-content/uploads/2012/03/syndeocms_3.0.01-Persistent-XSS.txt	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/74545

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:syndeocms:syndeocms::::::::
	cpe:2.3:a:syndeocms:syndeocms:2.4:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.4.10:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.5.00:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.5.01:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.6.00:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.7.00:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.8.00:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.8.1:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.8.02:::::::*
	cpe:2.3:a:syndeocms:syndeocms:2.9.00:::::::*
	cpe:2.3:a:syndeocms:syndeocms:3.0.00:::::::*

History

No history.

Information

Published : 2012-04-17 18:55

Updated : 2024-02-04 18:16

NVD link : CVE-2012-1979

Mitre link : CVE-2012-1979

CVE.ORG link : CVE-2012-1979

JSON object : View

Products Affected

syndeocms

syndeocms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2012-1979", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2012-04-17T18:55:01.380", "references": [{"url": "http://osvdb.org/80746", "source": "cve@mitre.org"}, {"url": "http://packetstormsecurity.org/files/111405/SyndeoCMS-3.0.01-Cross-Site-Scripting.html", "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/18686/", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/52840", "source": "cve@mitre.org"}, {"url": "http://www.webapp-security.com/wp-content/uploads/2012/03/syndeocms_3.0.01-Persistent-XSS.txt", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74545", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in starnet/index.php in SyndeoCMS 3.0.01 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the email parameter (aka Email address field) in an edit_user configuration action."}, {"lang": "es", "value": "Una vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados(XSS) en starnet/index.php en SyndeoCMS v3.0.01 y anteriores permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro 'email' (correo electr\u00f3nico) en una acci\u00f3n de configuraci\u00f3n 'edit_user'."}], "lastModified": "2017-08-29T01:31:26.867", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:syndeocms:syndeocms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BBA5244-2D39-434C-A618-341CFE8A4A2D", "versionEndIncluding": "3.0.01"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A15A5AA5-2150-4E4F-9D04-6AD1B6FA90A0"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.4.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BC375EC-C270-4EBB-B81F-28EA4B2FDE95"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.5.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9EE73158-2F9D-45E8-BCDD-4DDA6DED5C97"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.5.01:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "679F9994-1C5D-455B-928D-D18F1618B745"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.6.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DA79E21-A2F8-47FB-80EB-27749520E04C"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.7.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F339F8AB-4969-4338-862B-C9ECB5443301"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.8.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC1F7AD4-E83D-459E-B5EA-DAFD46FF4200"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ACA74ADF-71ED-45FE-A147-0DCB1B9031FD"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.8.02:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "619EE292-52F6-4AD5-AEA8-433CE472CE93"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:2.9.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8BB20ABE-B0B7-4761-B523-93EC012D3856"}, {"criteria": "cpe:2.3:a:syndeocms:syndeocms:3.0.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8132A3E2-C0FC-4BDC-A898-D86D86ECCFCD"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}