CVE-2010-2281 — MEDIUM (4.3)

Vulnerability Description

Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS 2.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) keyword or (2) bannerid parameter in conjunction with a /admin/ad/banner/list PATH_INFO; and allow remote authenticated users, with certain privileges, to inject arbitrary web script or HTML via the (3) title or (4) answers parameter in conjunction with a /admin/poll/add PATH_INFO, or the (5) name parameter in conjunction with a /admin/category/add PATH_INFO.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Tomatocms	Tomatocms	2.0.6

Related Weaknesses (CWE)

CWE-79

References

http://holisticinfosec.org/content/view/148/45/
http://secunia.com/advisories/39680Vendor Advisory
http://holisticinfosec.org/content/view/148/45/
http://secunia.com/advisories/39680Vendor Advisory

FAQ

What is CVE-2010-2281?

CVE-2010-2281 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS 2.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) keyword or (2) bannerid parameter in conju...

How severe is CVE-2010-2281?

CVE-2010-2281 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2010-2281?

Check the references section above for vendor advisories and patch information. Affected products include: Tomatocms Tomatocms.