leaftec cms multiple vulnerabilities

leaftec cms is a small CMS being developed by a German individual / German company. Sadly the CMS is not available for free download, so I stumbled across the vulnerabilities while I was visiting a website which was based on the leaftec cms.

I contacted the vendor bud sadly my contact attempts were ignored and the vulnerabilities are still present today.

#1 SQL Injection

Vulnerable URL:


Examples for testing and injecting SQL stuff:




(Tested on a live website using leaftec cms.)

#2 XSS / HTML Code Injection

Several parts of the CMS allow HTML and Java Script code injection, e.g. the login box.

After submitting the form the cms puts a red border around the login and password field but

also implements the injected code into the website.

Example for HTML code:

“><iframe src=http://www.google.de></iframe>

Read all details here.

One thought on “leaftec cms multiple vulnerabilities

Comments are closed.