Windu CMS 2.2 Multiple Stored XSS And CSRF Vulnerabilities

Windu CMS suffers from a cross-site request forgery vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple stored XSS vulnerabilities exist when parsing user input to the ‘name’ and ‘username’ POST parameters. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisories:

Windu CMS 2.2 CSRF Add Admin Exploit
Windu CMS 2.2 Multiple Persistent Cross-Site Scripting Vulnerabilities

windu_xss

Comment are closed.