CVE-2012-2629
Description
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) conduct cross-site scripting (XSS) attacks via the page_title parameter to admin/content_pages_edit.php; the (3) category_name[] parameter to admin/products_category.php; the (4) site_name, (5) seo_title, or (6) meta_keywords parameter to admin/settings_siteinfo.php; the (7) company_name, (8) address1, (9) address2, (10) city, (11) state, (12) country, (13) author_first_name, (14) author_last_name, (15) author_email, (16) contact_first_name, (17) contact_last_name, (18) contact_email, (19) general_email, (20) general_phone, (21) general_fax, (22) sales_email, (23) sales_phone, (24) support_email, or (25) support_phone parameter to admin/settings_company.php; or the (26) system_email, (27) sender_name, (28) smtp_server, (29) smtp_username, (30) smtp_password, or (31) order_notice_email parameter to admin/settings_email.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Axous 1.1.1 and earlier suffer from multiple CSRF and XSS flaws enabling admin account hijacking and arbitrary script injection.
Vulnerability
Axous 1.1.1 and earlier contain multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities. The CSRF issue exists in admin/administrators_add.php via an addnew action, allowing an attacker to add a new administrator account without proper token validation. Persistent XSS vulnerabilities are present in several admin parameters: page_title in admin/content_pages_edit.php; category_name[] in admin/products_category.php; site_name, seo_title, meta_keywords in admin/settings_siteinfo.php; numerous company settings fields in admin/settings_company.php; and email settings fields in admin/settings_email.php. These parameters are not sanitized before being stored and displayed, leading to stored XSS [1].
Exploitation
For CSRF exploitation, an attacker must trick an authenticated administrator into visiting a crafted HTML page or clicking a malicious link while logged into the Axous admin panel. The attacker can then submit a request to admin/administrators_add.php to create a new admin account with arbitrary credentials. For XSS, an attacker with any level of access (e.g., a low-privileged user or via CSRF) can inject JavaScript payloads into the vulnerable parameters. When an administrator views the affected pages (e.g., editing a content page, managing categories, or viewing site settings), the injected script executes in the context of the admin's session [1].
Impact
Successful CSRF allows an attacker to create a new administrator account, gaining full control over the Axous application. Successful XSS enables the attacker to execute arbitrary JavaScript in the administrator's browser, potentially stealing session cookies, performing actions on behalf of the admin, or defacing the site. Combined, these vulnerabilities can lead to complete compromise of the Axous installation [1].
Mitigation
No official patch or fixed version has been released by the vendor for Axous 1.1.1 or earlier. As of the publication date (2020-02-20), the software appears to be abandoned or unsupported. Mitigation strategies include restricting access to the admin panel via IP whitelisting, using a web application firewall (WAF) to block malicious requests, and implementing additional CSRF tokens and input sanitization manually. Users should consider migrating to an alternative, actively maintained e-commerce platform [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Axous/Axousdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing anti-CSRF tokens allow request forgery, and improper input sanitization of numerous admin-panel parameters enables persistent cross-site scripting."
Attack vector
An attacker can craft a malicious web page that, when visited by an authenticated Axous administrator, silently submits a forged HTTP POST request to admin/administrators_add.php, adding a new admin account (CSRF) [ref_id=1]. Separately, an attacker who can submit data to any of the listed parameters (e.g., page_title, category_name[], site_name, company_name fields, email settings) can inject persistent JavaScript; the injected script executes in the context of the admin panel when another administrator views the affected page [ref_id=1]. Both attack vectors require the victim to have an active admin session and, for CSRF, to visit a page under the attacker's control.
Affected code
The vulnerabilities affect multiple admin-side PHP scripts in Axous 1.1.1 and earlier. The CSRF issue allows any admin action to be forged because no anti-CSRF token is used. The persistent XSS flaws exist in parameters passed to admin/content_pages_edit.php (page_title), admin/products_category.php (category_name[]), admin/settings_siteinfo.php (site_name, seo_title, meta_keywords), admin/settings_company.php (company_name, address1, address2, city, state, country, author_first_name, author_last_name, author_email, contact_first_name, contact_last_name, contact_email, general_email, general_phone, general_fax, sales_email, sales_phone, support_email, support_phone), and admin/settings_email.php (system_email, sender_name, smtp_server, smtp_username, smtp_password, order_notice_email) [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] states that Axous does not use an anti-CSRF token and does not sanitize user-supplied input before storing it. To remediate the CSRF issues, the application should implement anti-CSRF tokens or require re-authentication for sensitive actions. To remediate the XSS issues, all user-supplied parameters should be properly sanitized or encoded before being stored and rendered in the admin panel.
Preconditions
- authAttacker must trick an authenticated Axous administrator into visiting a crafted web page (for CSRF) or submitting crafted input to the admin panel (for XSS).
- authVictim must have an active admin session in Axous.
- networkFor CSRF, the attacker's page must be able to send HTTP requests to the Axous admin panel (no same-origin policy bypass needed for form submissions).
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- packetstormsecurity.com/files/112748/Axous-1.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/18886mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.