Overview #

Multiple vulnerabilities including Cross-site Scripting (XSS) and SQL Injection exist in e107 CMS version 2.0. These vulnerabilities allow remote attackers to execute malicious scripts and SQL commands.

Vulnerability Details #

Affected Versions: 2.0 and earlier

Root Cause: Insufficient input validation on multiple parameters allows both XSS and SQL Injection attacks.

Exploitation Requirements #

• No authentication required for some vectors
• Direct access to vulnerable endpoints

Impact #

Remote attackers can exploit these vulnerabilities to:

• Execute arbitrary JavaScript in victims' browsers
• Extract sensitive data from the database
• Bypass authentication mechanisms
• Compromise the entire CMS

Proof of Concept #

Details available upon request.

Solution #

Upgrade to a patched version of e107 that includes proper input sanitization and parameterized queries.

References #

• Vendor notification sent