SyndeoCMS 3.0.01 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of “email” parameter, passed to server side logic (path: “starnet/index.php”) via http POST method.
Exploiting this vulnerability an authenticated user – which is able to change his profile settings – could insert arbitrary code in “Site email” field that will be executed when another admin or user clicks on that user’profile.
MITRE CVE Numbering Authority assigned me CVE-2012-1979 for this vulnerability.
To view my Original Advisory:
SyndeoCMS <= 3.0.01 Persistent XSS Advisory
Other related publications: