Cross-site Scripting and CSRF in TorrentTrader Classic v1.08

Risk: Low
Local: No
Remote: Yes

Cross-site Scripting and CSRF in TorrentTrader Classic v1.08 Application: TorrentTrader Classic v1.08, possible other versions. Vendor URL: 809271. 1. Input passed to the msg property of account-inbox.php is not properly sanitized before being displayed to the user. A malicious authenticated user can execute arbitrary HTML and scripting code in a user's browser session in context of an affected web site. Example: http://[host]/account-inbox.php?msg=<script>alert(document.cookie)</scr ipt>&receiver=<username> 2. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. A malicious person can perform a CSRF attack. Example: http://[host]/account-inbox.php?msg=<message>&receiver=<username> Vulnerability #1 was discovered by Dominus. Original URL: BR, Valery Marchuk

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top