Christopher Kunz has reported some vulnerabilities in Contrexx CMS, which can be exploited by malicious people to conduct cross-site scripting, script insertion and SQL injection attacks.

1) Input passed to the "votingoption" parameter in the poll module and the "pId" parameter in the gallery module is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to the "term" parameter in the search form is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

3) Input passed in certain blog entries (e.g. the title) is not properly sanitised before being aggregated via the blog aggregation module. This can be exploited to inject arbitrary HTML and script code, which will be executed in an administrative user's browser session in context of an affected site when the malicious user data is viewed.

An issue has also been reported where the installation version is included in the "config/version.xml" file.

The vulnerabilities have been reported in versions prior to 1.0.5.

Solution
Update to version 1.0.5.
Further details available in Customer Area

Provided and/or discovered by
Christopher Kunz, Hardened PHP Project.

Changelog
Further details available in Customer Area

Original Advisory
Hardened PHP Project:
http://www.hardened-php.net/advisory_112005.59.html

Deep Links
Links available in Customer Area