CVE-2012-1932

Vulnerability

Wolf CMS versions 0.75 and earlier are susceptible to a persistent cross-site scripting (XSS) vulnerability in the admin settings page. An attacker can inject arbitrary web script or HTML through the setting[admin_email] parameter to the /admin/setting endpoint [1]. The injected code is stored and executed when an administrator visits the settings page.

Exploitation

An attacker must have access to the admin settings page, which typically requires administrative credentials. However, the vulnerability could be exploited by a malicious admin or via cross-site request forgery (CSRF) if an authenticated admin is tricked into submitting a crafted request. The attacker sends a specially crafted HTTP request with malicious JavaScript in the setting[admin_email] parameter.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the affected admin interface. This can lead to session hijacking, defacement, theft of sensitive information, or further compromise of the Wolf CMS installation.

Mitigation

The official Wolf CMS project may have addressed this issue in versions after 0.75. Users should upgrade to the latest available version. If upgrading is not possible, input validation and output encoding of the admin_email parameter should be implemented. No specific advisory or patch was found in the available reference [1].