Multiple cross-site request forgery (CSRF) and cross-site
scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow
remote attackers to hijack the authentication of administrators for
requests that (1) add an administrator account via an addnew action
to admin/administrators_add.php; or (2) conduct cross-site
scripting (XSS) attacks via the page_title parameter to
admin/content_pages_edit.php; the (3) category_name[] parameter to
admin/products_category.php; the (4) site_name, (5) seo_title, or
(6) meta_keywords parameter to admin/settings_siteinfo.php; the (7)
company_name, (8) address1, (9) address2, (10) city, (11) state,
(12) country, (13) author_first_name, (14) author_last_name, (15)
author_email, (16) contact_first_name, (17) contact_last_name, (18)
contact_email, (19) general_email, (20) general_phone, (21)
general_fax, (22) sales_email, (23) sales_phone, (24)
support_email, or (25) support_phone parameter to
admin/settings_company.php; or the (26) system_email, (27)
sender_name, (28) smtp_server, (29) smtp_username, (30)
smtp_password, or (31) order_notice_email parameter to
admin/settings_email.php. (CVSS:6.8) (Last Update:2020-02-28)