Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in Plume CMS 1.2.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the u_email parameter (aka Authors Email field) to manager/users.php, (2) the u_realname parameter (aka Authors Name field) to manager/users.php, or (3) the c_author parameter (aka Author field) in an ADD A COMMENT section.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plume-Cms | Plume Cms | <= 1.2.4 |
Related Weaknesses (CWE)
References
- http://osvdb.org/80960
- http://osvdb.org/80961
- http://www.exploit-db.com/exploits/18699
- http://www.securityfocus.com/bid/52890
- http://www.webapp-security.com/2012/04/plumecms
- http://www.webapp-security.com/wp-content/uploads/2012/04/PlumeCMS-1.2.4-Multipl
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74614
- http://osvdb.org/80960
- http://osvdb.org/80961
- http://www.exploit-db.com/exploits/18699
- http://www.securityfocus.com/bid/52890
- http://www.webapp-security.com/2012/04/plumecms
- http://www.webapp-security.com/wp-content/uploads/2012/04/PlumeCMS-1.2.4-Multipl
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74614
FAQ
What is CVE-2012-2156?
CVE-2012-2156 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Multiple cross-site scripting (XSS) vulnerabilities in Plume CMS 1.2.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the u_email parameter (aka Authors Email field)...
How severe is CVE-2012-2156?
CVE-2012-2156 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2156?
Check the references section above for vendor advisories and patch information. Affected products include: Plume-Cms Plume Cms.