[VIM] vendor dispute: 22066: SpireMedia CMS index.cfm cid Variable SQL Injection (fwd)

Steven M. Christey coley at linus.mitre.org
Wed Jan 18 00:52:23 EST 2006

OK so it looks like it might just be a path disclosure issue from invalid
SQL syntax, at least based on error messages.

However, there is some evidence that there is also a minor XSS type issue
in the same parameter.


(gotta click on the link though)

Oh, but this one works alright:

http://www.spiremedia.com/spiremedia2k5/index.cfm?cid=<img src="javascript:alert('hi')">img here

- Steve

More information about the VIM mailing list