Wallpaper Script Stored XSS Vulnerability

2014.01.10

Credit: nullp0int3r

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2013-7274

CWE: CWE-79

CVSS Base Score: 3.5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 6.8/10

Exploit range: Remote

Attack complexity: Medium

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

[~] Exploit Title : Wallpaper Script Stored XSS Vulnerability
[~] D0rk Google : 
[~] Author : nullp0int3r (0x00p0int3r@gmail.com)
[~] Version : 3.5.0082
[~] Date : 2013-12-14
[~] Vendor Homepage: http://www.wallpaperscript.com/
[~] Test on : Windows


Exploitation:
1) Register and log on as a regular member
2) Click on "Add Wallpaper"
3) Write in the title field: </title><script>alert("XSS")</script>
4) Fill other fields and choose a photo and click on "Save"
5) Go to "My Wallpapers"
6) Select your uploaded photo

Thanks:
Enddo
Far3nh3it

References:

http://xforce.iss.net/xforce/xfdb/89913

http://www.exploit-db.com/exploits/30356

http://secunia.com/advisories/56205

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Wallpaper Script Stored XSS Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.