CVE-2009-0541
CVE-2009-0541
Multiple cross-site scripting (XSS) vulnerabilities in Magento 1.2.0 and 1.2.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username field in an admin/ request to index.php, possibly related to the login[username] parameter and the app/code/core/Mage/Admin/Model/Session.php login function; (2) the email address field in an admin/index/forgotpassword/ request to index.php, possibly related to the email parameter and the app/code/core/Mage/Adminhtml/controllers/IndexController.php forgotpasswordAction function; or (3) the return parameter to the default URI under downloader/.
Affected products
n/a · n/apublic PoCs found — 3
exploitdbwww.exploit-db.com/exploits/32808unverifiedexploitdbwww.exploit-db.com/exploits/32809unverifiedexploitdbwww.exploit-db.com/exploits/32810unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://archives.neohapsis.com/archives/fulldisclosure/2009-02/0257.htmlhttp://secunia.com/advisories/34000http://securitytracker.com/id?1021746https://exchange.xforce.ibmcloud.com/vulnerabilities/48876https://exchange.xforce.ibmcloud.com/vulnerabilities/48877https://exchange.xforce.ibmcloud.com/vulnerabilities/48878http://www.securityfocus.com/bid/33872