CVE-2010-1996

Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS before 2.0.5 allow remote authenticated users, with certain creation privileges, to inject arbitrary web script or HTML via the (1) content parameter in conjunction with a /admin/poll/add PATH_INFO, the (2) meta parameter in conjunction with a /admin/category/add PATH_INFO, and the (3) keyword parameter in conjunction with a /admin/tag/add PATH_INFO.

Published: May 20, 2010
Updated: Apr 13, 2023
CVE: CVE-2010-1996
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 2.1
AV:N/AC:H/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
tomatocms / tomatocms	2.0.1	2.0.1.x
tomatocms / tomatocms	2.0.0	2.0.0.x
tomatocms / tomatocms	2.0.3.1430	2.0.3.1430.x
tomatocms / tomatocms	2.0.3	2.0.3.x
tomatocms / tomatocms	2.0.2	2.0.2.x
tomatocms / tomatocms	-	2.0.4.x
tomatocms / tomatocms	2.0.3.1622	2.0.3.1622.x

http://holisticinfosec.org/content/view/141/45/
http://osvdb.org/64552
http://osvdb.org/64553
http://osvdb.org/64554
http://secunia.com/advisories/39320
http://www.securityfocus.com/bid/40108
https://exchange.xforce.ibmcloud.com/vulnerabilities/58475
https://exchange.xforce.ibmcloud.com/vulnerabilities/58491
https://exchange.xforce.ibmcloud.com/vulnerabilities/58492

Vulnerability Database

289,697

CVE-2010-1996