CVE-2010-1996

medium

Description

Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS before 2.0.5 allow remote authenticated users, with certain creation privileges, to inject arbitrary web script or HTML via the (1) content parameter in conjunction with a /admin/poll/add PATH_INFO, the (2) meta parameter in conjunction with a /admin/category/add PATH_INFO, and the (3) keyword parameter in conjunction with a /admin/tag/add PATH_INFO.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/58492

https://exchange.xforce.ibmcloud.com/vulnerabilities/58491

https://exchange.xforce.ibmcloud.com/vulnerabilities/58475

http://www.securityfocus.com/bid/40108

http://secunia.com/advisories/39320

http://osvdb.org/64554

http://osvdb.org/64553

http://osvdb.org/64552

http://holisticinfosec.org/content/view/141/45/

Details

Source: Mitre, NVD

Published: 2010-05-20

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 2.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00458