CVE-2015-2678
Description
Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter in the categories page to gxadmin/index.php or (2) page parameter to index.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GeniXCMS before 0.0.2 has multiple XSS vulnerabilities via the cat and page parameters, allowing arbitrary script injection.
Vulnerability
GeniXCMS versions before 0.0.2 are vulnerable to multiple reflected cross-site scripting (XSS) attacks. The cat parameter on the categories page (gxadmin/index.php) and the page parameter on index.php are not properly sanitized before being output, allowing injection of arbitrary HTML and JavaScript [1][4]. The vulnerability affects all installations prior to the 0.0.2 release.
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious URL containing a payload in the cat or page parameter. No authentication is required for the page parameter on index.php; the cat parameter requires access to the admin categories page, but no special privileges beyond that. The attacker can trick a victim into clicking the crafted link, or if the victim is an admin, the XSS can be triggered directly [1][4].
Impact
Successful exploitation allows an attacker to execute arbitrary script in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The impact is limited to the client side, but if an admin is targeted, the attacker could potentially perform administrative actions via XSS [1][4].
Mitigation
The vulnerability is fixed in GeniXCMS version 0.0.2, released on or before March 2015 [2]. Users should upgrade to 0.0.2 or later. The commit [2] shows the sanitization of output and addition of CSRF tokens. No workaround is provided for earlier versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <0.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- blog.metalgenix.com/genixcms-v0-0-2-release-security-and-bug-fixes/17nvdPatch
- packetstormsecurity.com/files/130771/GeniXCMS-0.0.1-Cross-Site-Scripting.htmlnvdExploit
- www.exploit-db.com/exploits/36321nvdExploit
- osvdb.org/show/osvdb/119394nvd
- www.securityfocus.com/bid/73301nvd
- www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5233.phpnvd
- github.com/semplon/GeniXCMS/commit/698245488343396185b1b49e7482ee5b25541815nvd
- github.com/semplon/GeniXCMS/issues/7nvd
News mentions
0No linked articles in our index yet.