Two vulnerabilities have been discovered in Pulse CMS, which can be exploited by malicious users to disclose sensitive information and by malicious people to conduct cross-site scripting attacks
You need to log in to the Secunia Community to view the full description of this advisory
If you are not a member of the Secunia community, you can sign up here for free.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com
Subject: Pulse CMS Cross-Site Scripting and Directory Traversal
Score: -5 Posts: 4 User Since: 12th Mar 2010 System Score: N/A Location: US Last edited on 12th Mar, 2010 23:44
This advisory is misleading. This is not a true threat since this page is only accessible AFTER you login. So it is not a publicly viewable page, only the admin can view it. The file has also been modified to add more security. Please remove this. Thank you.
Score: 5 Posts: 7 User Since: 16th Feb 2010 System Score: N/A Location: Copenhagen, DK
Please note that the cross-site scripting vulnerability is confirmed in version 1.2.2 and also in the updated package of version 1.2.2. If a logged-in administrative user visits a malicious web site or follows a specially crafted link, arbitrary script code controlled by the attacker can be executed in the context of the user's browser session.
We've also noticed that a directory traversal vulnerability has been fixed in an updated package of version 1.2.2 that allows logged-in users to disclose the contents of local files. We've, therefore, updated our advisory to reflect this new information.