Two vulnerabilities have been discovered in Pulse CMS, which can be exploited by malicious users to disclose sensitive information and by malicious people to conduct cross-site scripting attacks.
1) Input passed to the "f" parameter in view.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected application.
2) Input passed via the "f" parameter to view.php is not properly sanitised before being used to read files. This can be exploited to disclose the content of local files via directory traversal sequences.
Successful exploitation of this vulnerability requires authentication.
The vulnerabilities are confirmed in version 1.2.2. Other versions may also be affected.
Solution: Update to version 1.2.4 or later.
Provided and/or discovered by: 1) Th3 RDX
Original Advisory: Pulse CMS:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Pulse CMS Cross-Site Scripting and Directory Traversal
Score: -5 Posts: 4 User Since: 12th Mar 2010 System Score: N/A Location: US Last edited on 12th Mar, 2010 23:44
This advisory is misleading. This is not a true threat since this page is only accessible AFTER you login. So it is not a publicly viewable page, only the admin can view it. The file has also been modified to add more security. Please remove this. Thank you.
Score: 5 Posts: 7 User Since: 16th Feb 2010 System Score: N/A Location: Copenhagen, DK
Please note that the cross-site scripting vulnerability is confirmed in version 1.2.2 and also in the updated package of version 1.2.2. If a logged-in administrative user visits a malicious web site or follows a specially crafted link, arbitrary script code controlled by the attacker can be executed in the context of the user's browser session.
We've also noticed that a directory traversal vulnerability has been fixed in an updated package of version 1.2.2 that allows logged-in users to disclose the contents of local files. We've, therefore, updated our advisory to reflect this new information.