CVE-2008-1972

Exponent CMS <0.96.6-GA20071003 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in the user account creation feature in Exponent CMS 0.96.6-GA20071003 and earlier, when the Allow Registration? configuration option is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) firstname, (3) lastname, and (4) e-mail address fields. NOTE: some of these details are obtained from third party information.

References (5)

[Vendor Advisory] http://secunia.com/advisories/29875

[Product] http://sourceforge.net/project/shownotes.php?release_id=592961&group_id=118524

[Various Sources] http://www.exponentcms.org/index.php?action=view&id=64&module=newsmodule&src=%40random44fe03276195

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/41878

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/28834

Scores

EPSS 0.0033

EPSS Percentile 55.5%

Classification

CWE

CWE-79

Status draft

Affected Products (9)

oicgroup/exponent_cms < 0.96.6-ga20071003

oicgroup/exponent_cms

oicgroup/exponent_cms

oicgroup/exponent_cms

oicgroup/exponent_cms

oicgroup/exponent_cms

oicgroup/exponent_cms

oicgroup/exponent_cms

oicgroup/exponent_cms

Timeline

Published Apr 27, 2008

Tracked Since Feb 18, 2026