CVE-2010-1995

EUVD-2010-2014
Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS before 2.0.5 allow remote authenticated users, with "Add new article" privileges, to inject arbitrary web script or HTML via the (1) title, (2) subTitle, and (3) author parameters in conjunction with a /admin/news/article/add PATH_INFO.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.1 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:S/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
tomatocmstomatocms
𝑥
≤ 2.0.4
tomatocmstomatocms
2.0.0
tomatocmstomatocms
2.0.1
tomatocmstomatocms
2.0.2
tomatocmstomatocms
2.0.3
tomatocmstomatocms
2.0.3.1430
tomatocmstomatocms
2.0.3.1622
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://holisticinfosec.org/content/view/141/45/
http://osvdb.org/64550
http://secunia.com/advisories/39320
http://secunia.com/secunia_research/2010-59/
http://www.securityfocus.com/archive/1/511272/100/0/threaded
http://www.securityfocus.com/bid/40108
https://exchange.xforce.ibmcloud.com/vulnerabilities/58471
http://holisticinfosec.org/content/view/141/45/
http://osvdb.org/64550
http://secunia.com/advisories/39320
http://secunia.com/secunia_research/2010-59/
http://www.securityfocus.com/archive/1/511272/100/0/threaded
http://www.securityfocus.com/bid/40108
https://exchange.xforce.ibmcloud.com/vulnerabilities/58471