CVE-2015-1422 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[] (2) jak_catid (3) jak_content (4) jak_css (5) jak_delete_log[] (6) jak_email (7) jak_extfile (8) jak_file (9) jak_hookshow[] (10) jak_img (11) jak_javascript (12) jak_lcontent (13) jak_name (14) jak_password (15) jak_showcontact (16) jak_tags (17) jak_title (18) jak_url (19) jak_username (20) real_hook_id[] (21) sp (22) sreal_plugin_id[] (23) ssp or (24) sssp parameter to admin/index.php or the (25) editor (26) field_id (27) fldr (28) lang (29) popup (30) subfolder or (31) type parameter to js/editor/plugins/filemanager/dialog.php.

Reference

http://osvdb.org/show/osvdb/116967 http://osvdb.org/show/osvdb/116969 http://osvdb.org/show/osvdb/116970 http://packetstormsecurity.com/files/129929/Gecko-CMS-2.2-2.3-CSRF-XSS-SQL-Injection.html http://www.exploit-db.com/exploits/35767 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php https://exchange.xforce.ibmcloud.com/vulnerabilities/99977 Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[] (2) jak_catid (3) jak_content (4) jak_css (5) jak_delete_log[] (6) jak_email (7) jak_extfile (8) jak_file (9) jak_hookshow[] (10) jak_img (11) jak_javascript (12) jak_lcontent (13) jak_name (14) jak_password (15) jak_showcontact (16) jak_tags (17) jak_title (18) jak_url (19) jak_username (20) real_hook_id[] (21) sp (22) sreal_plugin_id[] (23) ssp or (24) sssp parameter to admin/index.php or the (25) editor (26) field_id (27) fldr (28) lang (29) popup (30) subfolder or (31) type parameter to js/editor/plugins/filemanager/dialog.php.