Detections
Analytics
Mura CMS link Parameter XSS
medium Nessus Plugin ID 49699
Language:
Synopsis
The remote web server hosts a ColdFusion script that is prone to a cross-site scripting attack.Description
The version of Mura CMS hosted on the remote web server fails to sanitize user-supplied input to the 'link' parameter of the 'default/includes/display_objects/sendtofriend/index.cfm' script before using it to generate dynamic HTML output.An attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.
Note that the install is also likely to be affected by two other cross-site scripting vulnerabilities, although Nessus has not checked for them.
Solution
Either apply the appropriate security patch referenced in the vendor's advisory or upgrade to version 5.1.967 or later.See Also
https://www.getmura.com/blog/mura-cms-xss-vulnerability-fix/
Plugin Details
Severity: Medium
ID: 49699
File Name: mura_cms_link_xss.nasl
Version: 1.14
Type: remote
Family: CGI abuses : XSS
Published: 9/30/2010
Updated: 6/1/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Vulnerability Information
Required KB Items: www/mura_cms
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 10/30/2009
Vulnerability Publication Date: 10/29/2009
Reference Information
BID: 42180