A vulnerability in Twilight CMS version 5.17, and possibly other versions, could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks.
The vulnerability is due to insufficient validation of user-supplied input submitted to the gallery/
page via PATH_INFO
. An attacker could exploit this vulnerability by persuading a user to follow a malicious URL that is designed to submit crafted input to the affected software. If successful, it could allow the attacker to execute arbitrary script or HTML code in the user's browser session under the context of the affected site. This could allow the attacker to access sensitive browser-based information such as cookie-based authentication credentials.
The vendor has not confirmed the vulnerability and software updates are not available.
Users should verify that unsolicited links are safe to follow.
For additional information about XSS attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.