14 DAY TRIAL // Experts from the Vulnerability Lab identified multiple web vulnerabilities in the Wolf and Gazelle Anatasoft content management systems (CMS). More precisely, they determined that the 0.7.5 variant of Wolf and all the 1.x versions of Gazelle Anatasoft are flawed.
The security holes in Wolf CMS, were found by Georgian security researcher Ucha Gobejishvili, also known as longrifle0x. He discovered a blind SQL injection vulnerability and a persistent cross-site scripting (XSS) vulnerability.
The SQL injection flaw could allow a remote attacker to execute his own SQL commands on the affected application’s database management system. If exploited successfully, the application or the webserver could be compromised.
The persistent XSS could be leveraged by a hacker to inject persistent malicious codes on the application side, permitting him to hijack the session and even steal an account.
The vendor of the CMS has been notified on the existence of the issues on February 11, the vulnerability information being disclosed on February 27. It’s uncertain at this time if the company addressed the problems.
All the 1.x variants of Gazelle Anatasoft were found to contain multiple validation vulnerabilities that can be utilized by an attacker to implement or inject a malicious code on the application side.
A hacker could rely on these weaknesses to hijack sessions, manipulate context when processing a request, and manipulate flawed modules.
The Edit MenuGroup, Edit Module and Module Name, and the Search Module were named as being the ones that present the security holes. The medium severity persistent script code injects were reported to the vendor on February 21, but for now it’s unknown if they have been addressed or not.
Customers of Wolf CMS 0.7.5 and Gazelle Anatasoft CMS 1.x are advised to monitor the vendors’ sites because most likely they’ll release security updates that resolve the issues. Once the updates are made available, users are recommended to immediately apply the updates.