Cross-site scripting in Croogo - CVE-2014-8577

Detailed vulnerability description

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in Croogo before 2.1.0 when processing the "data[Contact][title]" parameter passed to admin/contacts/contacts/add page, "data[Block][title]" and "data[Block][alias]" parameters to admin/blocks/blocks/edit page, "data[Region][title]" parameter to admin/blocks/regions/add page, "data[Menu][title]" and "data[Menu][alias]" parameters to admin/menus/menus/add page, and "data[Link][title]" parameter to admin/menus/links/add/menu page. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

How to mitigate CVE-2014-8577

Sources

• http://blog.croogo.org/blog/croogo-210-released
• http://packetstormsecurity.com/files/128639/Croogo-2.0.0-Cross-Site-Scripting.html
• http://www.exploit-db.com/exploits/34959
• http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php
• https://exchange.xforce.ibmcloud.com/vulnerabilities/96991