Multiple vulnerabilities in Newscoop
|Vulnerable Versions:||3.5.3 and probably prior, partially 4.0 RC3|
|Advisory Publication:||March 28, 2012 [without technical details]|
|Vendor Notification:||March 28, 2012|
|Vendor Fix:||April 5, 2012|
|Public Disclosure:||April 18, 2012|
|Latest Update:||April 23, 2012|
|Vulnerability Type:||PHP File Inclusion [CWE-98]|
SQL Injection [CWE-89]
Cross-Site Scripting [CWE-79]
|CVSSv2 Base Scores:||9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Newscoop, which can be exploited to perform Remote File Inclusion, SQL Injection and Cross-Site Scripting (XSS) attacks.
|Upgrade to Newscoop 3.5.5|
Make sure that "register_globals" is set to off (fix for CVE-2012-1933)
| High-Tech Bridge Advisory HTB23084 - https://www.htbridge.com/advisory/HTB23084 - Multiple vulnerabilities in Newscoop.|
 Newscoop - http://www.sourcefabric.org - is an open Content Management System for journalists & online newspapers.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.