CVE-2007-4862 in SAXONinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in admin/menu.php in SAXON 5.4 allows remote attackers to inject arbitrary web script or HTML via the config[news_url] parameter.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 12/08/2025

The vulnerability identified as CVE-2007-4862 represents a critical cross-site scripting flaw within the SAXON 5.4 content management system, specifically affecting the administrative menu component. This issue resides in the admin/menu.php file where user-supplied input is not properly sanitized before being rendered back to web browsers. The vulnerability manifests through the config[news_url] parameter which serves as an injection vector for malicious web scripts or HTML content. The flaw enables remote attackers to execute arbitrary code within the context of other users' browsers, potentially compromising user sessions and data integrity.

This vulnerability directly maps to CWE-79, which defines Cross-Site Scripting as a weakness where applications fail to properly validate or escape user-provided input before incorporating it into dynamically generated web pages. The attack occurs when the application processes the config[news_url] parameter without adequate input filtering or output encoding, allowing malicious payloads to be stored and subsequently executed when legitimate users access the affected administrative interface. The exploitation requires no authentication and can be performed from any remote location, making it particularly dangerous in web applications where administrative interfaces are accessible to unauthorized users.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to hijack user sessions, steal sensitive information, manipulate administrative functions, or redirect users to malicious websites. When an administrator or authenticated user accesses the compromised menu.php page, the injected script executes within their browser context, potentially leading to complete system compromise. The vulnerability affects the confidentiality, integrity, and availability of the web application by allowing unauthorized modifications to content and user interactions. This type of flaw is particularly concerning in content management systems where administrators have elevated privileges and access to sensitive system configurations and user data.

Mitigation strategies for CVE-2007-4862 should focus on implementing proper input validation and output encoding mechanisms throughout the application. The primary defense involves sanitizing all user-supplied input, particularly parameters like config[news_url], through strict validation that rejects or removes potentially malicious content. Implementing context-specific output encoding before rendering any user-provided data in web pages prevents script execution regardless of input validation failures. Additionally, the application should enforce proper access controls to ensure that only authorized administrative users can modify configuration parameters. Security measures should include regular input filtering, output encoding, and the implementation of Content Security Policy headers to limit script execution capabilities. Organizations should also consider implementing web application firewalls to detect and block suspicious input patterns targeting known XSS vulnerabilities. The remediation process requires immediate patching of the affected SAXON 5.4 version or implementing custom input validation routines to prevent the config[news_url] parameter from accepting malicious payloads, aligning with the principle of least privilege and defense in depth as recommended by cybersecurity frameworks.

Reservation

09/13/2007

Disclosure

10/30/2007

Moderation

accepted

Entry

VDB-39474

CPE

ready

Exploit

Download

EPSS

0.01849

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!