Multiple XSS in Geeklog 1.3.7

Credit: snooq
Risk: Low
Local: No
Remote: Yes

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

nothing new. typical XSS bugs. summary ======= Geeklog is a web portal system written in PHP. There exists 5 XSS holes in the software. the 'holes' =========== --1--<script>alert(document.coo kie)</script> --2--<script>alert(do cument.cookie)</script> --3--<script> alert(document.cookie)</script> --4--<script>alert(docume nt.cookie)</script> --5-- 'homepage' field in the user's account information page is not sanitised properly. As a result, javascript can be injected by setting the 'homepage' field like this: http://url" onmouseover="alert(document.cookie) ** 3) & 4) were found by Dirk Haun of Geeklog Team. vendor status ============= 03/01/2003 contacted Dirk Haun of Geeklog team 14/01/2003 Geeklog 1.3.7sr1 was released. New version closes all holes found. --==snooq==--

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top