SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cotonti | cotonti_siena | 0.9.3 |
| cotonti | cotonti_siena | 0.9.1 |
| cotonti | cotonti_siena | 0.9.5 |
| cotonti | cotonti_siena | * |
| cotonti | cotonti_siena | 0.9.9 |
| cotonti | cotonti_siena | 0.9.4 |
| cotonti | cotonti_siena | 0.9.8 |
| cotonti | cotonti_siena | 0.9.0 |
| cotonti | cotonti_siena | 0.9.10 |
| cotonti | cotonti_siena | 0.9.11 |
| cotonti | cotonti_siena | 0.9.2 |
| cotonti | cotonti_siena | 0.9.12 |
| cotonti | cotonti_siena | 0.9.7 |
| cotonti | cotonti_siena | 0.9.6 |
Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| disclosure@vulncheck.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N | 3.9 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cotonti | cotonti_siena | 0.9.19 |
Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | 1.7 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cotonti | cotonti_siena | 0.9.20 |
Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message (DM).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | 1.7 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cotonti | cotonti_siena | 0.9.20 |
A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cotonti | cotonti_siena | 0.9.24 |
| cotonti | siena | 0.9.24 |
A vulnerability has been found in Cotonti Siena v0.9.25. Affected by this vulnerability is the file /admin.php?m=config&n=edit&o=core&p=title. The manipulation of the value of title leads to cross-site scripting.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 2.3 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cotonti | cotonti_siena | 0.9.25 |