Security Advisory 07-012 – Fatwire CMS is vulnerable to XSS in multiple locations
Fatwire CMS is vulnerable to XSS in multiple locations.
Fatwire Corporation Content Server 6.3.0
Vulnerability discovery and development:
Portcullis Security Testing Services
Credit for Discovery:
Andrew Davies of Portcullis Computer Security Ltd discovered this vulnerability.
Fatwire Corporation Content Server 6.3 was found to be vulnerable.
The CMS is vulnerable to XSS in multiple locations, mainly within the search and advanced search functions.
Impact: Low > Moderate. For this vulnerability to be exploited a malicious user must craft a URL that contains the code they wish to execute within the victims browser. Once the attacker has encouraged their victim’s to follow the link the code will execute. This vulnerability can also be used to steal session ID’s stored in cookies and thus potentially gain access to admin accounts.
Insert the following into any text form field: “<script>alert(‘xss’)</script>”
The vendor has been contacted and has advised that the vulnerability has been fixed in the lastest patch release for CS 6.3.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.