evoBlog Remote Name tag Script injection

2006.03.07

Credit: sikik bsdmail org

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-1077

CWE: CWE-Other

Ogólna skala CVSS: 4.3/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 8.6/10

Wymagany dostęp: Zdalny

Złożoność ataku: Średnia

Autoryzacja: Nie wymagana

Wpływ na poufność: Brak

Wpływ na integralność: Częściowy

Wpływ na dostępność: Brak

DESCRIPTION
evoBlog is prone to HTML injection attacks. It is possible for a malicious evoBlog user to inject hostile HTML and script code into the commentary via form fields. This code may be rendered in the browser of a web user who views the commentary of evoBlog.
evoBlog does not adequately filter HTML tags from various fields. This may enable an attacker to inject arbitrary script code into pages that are generated by the evoBlog.

All versions are vulnerable.

EXPLOIT

Write and HTML script for example: <script>alert('test')</script> in the name tag.

HOMEPAGE
http://www.ajaxreview.com/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

evoBlog Remote Name tag Script injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.