CVE-2010-2367

Vulnerability

AD-EDIT2, a content management system, contains a cross-site scripting (XSS) vulnerability in its site search program search.cgi [1][2]. All versions prior to v3.0.9 are affected [3]. The flaw allows injection of arbitrary web script or HTML through unspecified vectors within the search functionality.

Exploitation

A remote attacker can exploit this vulnerability by crafting a malicious URL or input that, when processed by search.cgi, injects script into the page. No authentication is required, but user interaction is needed—the victim must access the crafted link or input, typically via a web browser. The exact attack vector is not detailed, but CVSS v2 scoring indicates medium access complexity, suggesting some conditions or user actions are necessary [3].

Impact

Successful exploitation enables an attacker to execute arbitrary script in the context of the victim's browser. This can lead to session hijacking, information disclosure (e.g., cookies, form data), or other malicious actions within the affected site. The impact is partial integrity compromise, while confidentiality and availability are not directly affected [2][3].

Mitigation

The vendor released version v3.0.9 to address the vulnerability [1]. Users should update to this version or replace the search.cgi file with the security-fixed version available from the developer's download page [1]. No workarounds beyond updating are provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.