CVE-2012-2629 Information

Description

Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) conduct cross-site scripting (XSS) attacks via the page_title parameter to admin/content_pages_edit.php; the (3) category_name[] parameter to admin/products_category.php; the (4) site_name (5) seo_title or (6) meta_keywords parameter to admin/settings_siteinfo.php; the (7) company_name (8) address1 (9) address2 (10) city (11) state (12) country (13) author_first_name (14) author_last_name (15) author_email (16) contact_first_name (17) contact_last_name (18) contact_email (19) general_email (20) general_phone (21) general_fax (22) sales_email (23) sales_phone (24) support_email or (25) support_phone parameter to admin/settings_company.php; or the (26) system_email (27) sender_name (28) smtp_server (29) smtp_username (30) smtp_password or (31) order_notice_email parameter to admin/settings_email.php.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

http://packetstormsecurity.com/files/112748/Axous-1.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://www.exploit-db.com/exploits/18886

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8