Two flaws were discovered in w-CMS. First is due to improper sanitisation of input data passed via „p“ parameter to index.php. The data are not properly sanitised in „getMenus()“ function. It allow attacker to execute arbitrary HTML or script code in user’s browser session.

Input data passed via „COMMENT“ parameter to index.php are not properly sanitised before bein used in codes/blog.php, codes/guestbook.php or codes/forum.php. An attacker may exploit the flaw to inject arbitrary HTML or script code and to execute it in user’s browser session.

Flaws were found in version 2.01.

Source: Secunia
13.01.2012