Title: Omeka 2.2 - Cross-Site Request Forgery / Persistent Cross-Site Scripting Edb-ID: 34100 CVE: 2014-5100 Author: LIQUIDWORM Type: WEBAPPS Platform: PHP Date: 2014-07-17 Vulnerable App: Vulnerabilities: Omeka version 2.2 suffers from a cross-site request forgery and a stored XSS vulnerability. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to the 'api_key_label' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.