// For flags

CVE-2012-1664

osCMax 2.5 - '/admin/geo_zones.php?zID' Cross-Site Scripting

Severity Score

4.3
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

10
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in osCMax before 2.5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in a process action to admin/login.php; (2) pageTitle, (3) current_product_id, or (4) cPath parameter to admin/new_attributes_include.php; (5) sb_id, (6) sb_key, (7) gc_id, (8) gc_key, or (9) path parameter to admin/htaccess.php; (10) title parameter to admin/information_form.php; (11) search parameter to admin/xsell.php; (12) gross or (13) max parameter to admin/stats_products_purchased.php; (14) status parameter to admin/stats_monthly_sales.php; (15) sorted parameter to admin/stats_customers.php; (16) information_id parameter to /admin/information_manager.php; or (17) zID parameter to /admin/geo_zones.php.

Múltiples vulnerabilidades de XSS en el panel de administración en osCMax anterior a 2.5.1 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro username en una acción de procesos en admin/login.php; del parámetro (2) pageTitle, (3) current_product_id, o (4) cPath en admin/new_attributes_include.php; del parámetro (5) sb_id, (6) sb_key, (7) gc_id, (8) gc_key, o (9) path en admin/htaccess.php; (10) del parámetro title en admin/information_form.php; (11) del parámetro search parameter en admin/xsell.php; del parámetro (12) gross o (13) max en admin/stats_products_purchased.php; (14) del parámetro status en admin/stats_monthly_sales.php; (15) del parámetro sorted en admin/stats_customers.php; (16) del parámetro information_id en /admin/information_manager.php; o (17) del parámetro zID en /admin/geo_zones.php.

osCmax version 2.5.0 suffers from cross site scripting and remote SQL injection vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2012-03-14 CVE Reserved
  • 2012-04-04 First Exploit
  • 2012-04-05 CVE Published
  • 2024-06-13 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oscmax
Search vendor "Oscmax"
 Oscmax
Search vendor "Oscmax" for product "Oscmax"
 <= 2.5.0
Search vendor "Oscmax" for product "Oscmax" and version " <= 2.5.0"
-
Affected