MojoPortal 2.3.9.7 Cross Site Scripting

2013-08-01 / 2013-08-21
Credit: Michael Savage
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2013-5320
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Class Stored Cross-Site Scripting Remote Yes Credit Michael Savage of Dionach (vulns@dionach.com) Vulnerable MojoPortal 2.3.9.7 MojoPortal is prone to a stored cross-site scripting vulnerability because it does not escape the titles of forum threads when inserting into the page title element. An attacker may leverage this issue to run JavaScript in the context of another user's browser. MojoPortal 2.3.9.7 is known to be vulnerable. Other versions may also be vulnerable. To exploit this issue, an attacker must create a crafted post, for example: POST /Forums/EditPost.aspx [txtSubject=+</title><script>alert("XSS!")</script>] The vendor has released an updated version (2.3.9.8) which is believed to resolve this issue. See the announcement at https://www.mojoportal.com/mojoportal-2398-released

References:

https://www.mojoportal.com/mojoportal-2398-released
http://archives.neohapsis.com/archives/bugtraq/2013-07/0200.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top