Cross-site scripting in GeniXCMS - CVE-2017-5516
Published: January 17, 2017 / Updated: January 17, 2017
GeniXCMS
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via "token" HTTP GET parameter to "/gxadmin/inc/pages_form.php", "/gxadmin/inc/posts_form.php", "/gxadmin/inc/menus_form.php", "/gxadmin/inc/menus_form_edit.php", and "/gxadmin/inc/user_form.php" scripts. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.