Title: TUTOS Multiple Input Validation Vulnerabilities
Severity: MODERATE
Description:
The Ultimate Team Organization Software (TUTOS) is a content management system designed to be implemented on Linux platforms.
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, and possibly SQL injection.
The following specific issues have been identified:
Multiple cross-site scripting vulnerabilities have been identified in the application. These issues present themselves due to insufficient sanitization of user-supplied data passed via URI requests. These issues are reportedly present in the 'company_new.php', 'app_new.php', 'task_new.php', and '[xxxx]_new.php' scripts. It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks may also be possible.
An information disclosure issue that may result in disclosing the installation path of the application and other sensitive information also affects the application. This issue presents itself when an invalid URI request is issued to the server. This may lead to an SQL error message returned to the attacker that contains sensitive information. It has been reported that this vulnerability may be leveraged to carry out SQL injection, however, this has not been confirmed at the moment.
TUTOS version 1.1.20031017 is reported to be vulnerable to these issues.
Affected Products:
- Tutos Tutos 1.1.0.20031017
References:
- Tutos: Tutos Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
