CVE-2012-2156

Plume-cms Plume Cms < 1.2.4 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in Plume CMS 1.2.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the u_email parameter (aka Authors Email field) to manager/users.php, (2) the u_realname parameter (aka Authors Name field) to manager/users.php, or (3) the c_author parameter (aka Author field) in an ADD A COMMENT section.

Exploits (1)

exploitdb WRITEUP

by Ivano Binetti · textwebappsphp

https://www.exploit-db.com/exploits/18699

View Code ZIP pw:eip

References (7)

[Various Sources] http://www.webapp-security.com/2012/04/plumecms

[Various Sources] http://www.webapp-security.com/wp-content/uploads/2012/04/PlumeCMS-1.2.4-Multiple-Permanent-XSS.txt

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/74614

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/52890

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/18699

[Third Party Advisory, VDB Entry] http://osvdb.org/80960

[Third Party Advisory, VDB Entry] http://osvdb.org/80961

Scores

EPSS 0.0225

EPSS Percentile 84.4%

Classification

CWE

CWE-79

Status published

Affected Products (12)

plume-cms/plume_cms < 1.2.4

plume-cms/plume_cms

plume-cms/plume_cms

plume-cms/plume_cms

plume-cms/plume_cms

plume-cms/plume_cms

plume-cms/plume_cms

plume-cms/plume_cms

plume-cms/plume_cms

plume-cms/plume_cms

plume-cms/plume_cms

n/a/n/a

Timeline

Published Apr 11, 2012

Tracked Since Feb 18, 2026