← Advisories

Gecko CMS 2.3 Multiple Vulnerabilities

Medium

Advisory ID

ZSL-2015-5222

Release Date

12 January 2015

Vendor

JAKWEB - http://www.cmsgecko.com

Affected Version

2.3 and 2.2

CVE

CVE-2015-1422, CVE-2015-1423, CVE-2015-1424

Tested On

Apache/2, PHP/5.4.36

Summary

Gecko CMS is the way to go, forget complicated, bloated and slow content management systems, Gecko CMS has been build to be intuitive, easy to use, extendable to almost anything, running on all standard web hosting (PHP and one MySQL database, Apache is a plus), browser compatibility and fast, super fast!

Description

Gecko CMS suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting and SQL Injection.

Proof of Concept

geckocms_mv.txtTXT

Disclosure Timeline

27.12.2014Vulnerabilities discovered.

05.01.2015Vendor contacted.

06.01.2015Vendor responds asking more details.

06.01.2015Sent details to the vendor.

06.01.2015Vendor confirms issues but is not going to develop a fix because the issues are present in the admin panel (authd).

12.01.2015Public security advisory released.

Credits