I have discovered two vulnerabilities in ImpressCMS. These have been fixed
in the new 1.3.6 version, which you can get at
One is an arbitrary file deletion and the other is two cross site scripting issues.
Note that I was unable to exploit the XSS issues due to the inbuilt
protection module, so I'm not sure if it qualifies for a CVE.
The tickets containing the information are available here
Unfortunately I can't paste the full report in this email as the Android
Gmail client will mangle it. Please see the text file at
Thanks in advance, and thanks to the ImpressCMS team for being so
Agile Information Security