Vulnérabilité CVE-2012-2629 CVE Vulnerability

Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) conduct cross-site scripting (XSS) attacks via the page_title parameter to admin/content_pages_edit.php; the (3) category_name[] parameter to admin/products_category.php; the (4) site_name, (5) seo_title, or (6) meta_keywords parameter to admin/settings_siteinfo.php; the (7) company_name, (8) address1, (9) address2, (10) city, (11) state, (12) country, (13) author_first_name, (14) author_last_name, (15) author_email, (16) contact_first_name, (17) contact_last_name, (18) contact_email, (19) general_email, (20) general_phone, (21) general_fax, (22) sales_email, (23) sales_phone, (24) support_email, or (25) support_phone parameter to admin/settings_company.php; or the (26) system_email, (27) sender_name, (28) smtp_server, (29) smtp_username, (30) smtp_password, or (31) order_notice_email parameter to admin/settings_email.php. (CVSS:6.8) (Last Update:2020-02-28)

Vulnerability Details : (1 public exploit) Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) conduct cross-site scripting (XSS) attacks via the page_title parameter to admin/content_pages_edit.php; the (3) category_name[] parameter to admin/products_category.php; the (4) site_name, (5) seo_title, or (6) meta_keywords parameter to admin/settings_siteinfo.php; the (7) company_name, (8) address1, (9) address2, (10) city, (11) state, (12) country, (13) author_first_name, (14) author_last_name, (15) author_email, (16) contact_first_name, (17) contact_last_name, (18) contact_email, (19) general_email, (20) general_phone, (21) general_fax, (22) sales_email, (23) sales_phone, (24) support_email, or (25) support_phone parameter to admin/settings_company.php; or the (26) system_email, (27) sender_name, (28) smtp_server, (29) smtp_username, (30) smtp_password, or (31) order_notice_email parameter to admin/settings_email.php. Publish Date : 2020-02-20 Last Update Date : 2020-02-28 - CVSS Scores & Vulnerability Types CVSS Score 6.8 Confidentiality Impact Partial(There is considerable informational disclosure.) Integrity Impact Partial(Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.) Availability Impact Partial(There is reduced performance or interruptions in resource availability.) Access Complexity Medium(The access conditions are somewhat specialized. Some preconditions must be satistified to exploit) Authentication Not required(Authentication is not required to exploit the vulnerability.) Gained Access None Vulnerability Type(s) Cross Site ScriptingCSRF CWE ID 352 - Products Affected By CVE-2012-2629 # Product Type Vendor Product Version Update Edition Language 1 Application Axous Axous * * * * Version Details Vulnerabilities - Number Of Affected Versions By Product Vendor Product Vulnerable Versions Axous Axous 1 - References For CVE-2012-2629 Exploit!http://www.exploit-db.com/exploits/18886 Axous 1.1.1 - Multiple Vulnerabilities (CSRF - Persistent XSS) Author:Ivano Binetti Release Date:2012-05-16 (php) webapps http://packetstormsecurity.com/files/112748/Axous-1.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.html

- Metasploit Modules Related To CVE-2012-2629 There are not any metasploit modules related to this CVE entry (Please visit www.metasploit.com for more information)