PT-2009-12: UMI.CMS Cross-Site Scripting Vulnerability
Versions 2.x prior to 2.7.1 (build 10856)
Impact: Cross-Site Scripting
Attack Vector: Remote
Base Score: 4.3
Temporal Score: 3.4
CVE: not assigned
UMI.CMS is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).
Positive Technologies Research Team has discovered a Cross-Site Scripting (XSS) vulnerability in UMI.CMS.
User input passed to the "fields_filter" setting is not properly sanitized. This can be exploited to inject malicious code and allows to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Update to version 2.7.1 (build 10856).
04/03/2009 - Vendor is notified
04/03/2009 - Vendor response
04/03/2009 - Requested status update from vendor
06/03/2009 - Vendor releases fixed version and details
06/03/2009 - Public disclosure
This vulnerability was discovered by Dmitry Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
Complete list of vulnerability reports published by Positive Technologies Research Team: