Info

Disclosure

Sep 05, 2008

Discovery

Unknown

Dates

Exploit

Sep 05, 2008

Solution

Unknown

Description

DevalCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'currentpath' parameters upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: Vendor Verified, Uncoordinated Disclosure
OSVDB: Web Related

Solution

Products

Unknown or Incomplete

References

CVE ID: 2008-6982 (see also: NVD)
Bugtraq ID: 31037
Secunia Advisory ID: 31776
ISS X-Force ID: 44940
Related OSVDB ID: 47972
Milw0rm: 6369
Exploit Database: 6369
Vendor URL: http://sourceforge.net/projects/devalcms/
Vendor Specific News/Changelog Entry: http://sourceforge.net/projects/devalcms/files/devalcms/devalcms-1.4b/devalcms-1.4b.zip/download

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/47971