Commonspot CMS 5.1.0.x Cross Site Scripting vulnerabilities
XSS vulnerabilities in Commonspot CMS
XSS vulnerabilities in CommonSpot <=CMS 5.1.0.x
Software: Commonspot CMS < 5.1
Tested on 188.8.131.52, 184.108.40.206, 220.127.116.11 but all versions between 5.0.x and 5.1 seem vulnerable
Release Date: 2010-05-31
Last Update: 2010-05-31
Impact: Credential theft
Cross Site Request Forgery
Solution Status: Not fixed
*CommonSpot by PaperThin is a flexible, scalable and easy to use content management system (CMS). CommonSpot’s inherent ease of use empowers business users to be self-sufficient, productive, and achieve faster time-to-market, while enabling IT and site administrators to easily adapt the system to meet their complex needs. Key features such as the ability to create and publish RSS feeds—without writing code—come right out of the box. CommonSpot also offers a rich metadata architecture for content tagging and re-use, and taxonomy and facet-based navigation for better content organization.
(*) Taken from website
Fields in loader.cfm are not sanitized properly making the CMS vulnerable to different Cross Site Scripting vulnerabilities.
09/13/2009 - Vendor contacted
05/31/2010 - Full disclosure