MetInfo 7.0.0 Parameter login.php gourl cross site scripting

Overview :

A vulnerability, which was classified as problematic, has been found in MetInfo 7.0.0 (Content Management System). Affected by this issue is some unknown functionality of the file login.php of the component Parameter Handler.

Affected Product(s) :

MetInfo 7.0.0

Vulnerability Details :

CVE ID : CWE-79

The manipulation of the argument gourl with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. Impacted is integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

The weakness was shared 06/21/2021. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2020-21517. The exploitation is known to be easy. The attack may be launched remotely. A simple authentication is required for exploitation. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1059.007.

Solution :

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

MetInfo 7.0.0 Parameter login.php gourl cross site scripting

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2023-33553 : PLANET WDRT-1800AX 1.01-CP2 COOKIE LOGINSTATUS IMPROPER AUTHENTICATION

CVE-2023-20887 : VMWARE ARIA OPERATIONS FOR NETWORKS 6.X COMMAND INJECTION

CVE-2023-29632 : JMSPAGEBUILDER 3.X ON PRESTASHOP AJAX_JMSPAGEBUILDER.PHP SQL INJECTION