3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.6 Medium
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
76.5%
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author privileges to inject arbitrary web script or HTML via (1) the profile parameter to extensions/profiledevkit/content/content.profile.php, as demonstrated via requests to (a) the default URI, (b) about/, or © drafts/; or (2) the filter parameter in symphony/lib/core/class.symphony.php, as demonstrated via requests to (d) symphony/publish/comments or (e) symphony/publish/images. NOTE: some of these details are obtained from third party information.
packetstormsecurity.org/files/view/106493/symphonycms-sqlxss.txt
seclists.org/bugtraq/2011/Nov/8
secunia.com/advisories/46663
symphony-cms.com/download/releases/version/2.2.4/
www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/
www.openwall.com/lists/oss-security/2011/11/22/9
www.osvdb.org/76882
www.osvdb.org/76883
exchange.xforce.ibmcloud.com/vulnerabilities/71106