Bug: X7Chat <= 2.0.2 avatar XSS injection ( Ascii Version )

Search:
WLB2

X7Chat <= 2.0.2 avatar XSS injection

Published
Credit
Risk
2006.05.10
zerogue gmail com
Low
CWE
CVE
Local
Remote
CWE-79
CVE-2006-2282
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

X7Chat <= 2.0.2 avatar XSS injection

Discovered by: Nomenumbra

Date: 6/4/2006

impact:moderate (privilege escalation,possible defacement)

X7Chat versions 2.0.2 and below are prone to XSS injection in a user's avatar.

By setting this as the url of your avatar:

javascript:alert('xss')

you'd have some good ol' XSS

Nomenumbra/[0x4F4C]

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version