phpVibe < 4.20 Stored Cross Site Scripting

2015.07.17
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# phpVibe < 4.20 Stored XSS # Vendor Homepage: http://www.phpvibe.com # Affected Versions: prior to 4.20 # Discovered by Filippos Mastrogiannis # Twitter: @filipposmastro # LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177 -- Description -- This stored XSS vulnerability allows any logged in user to inject malicious code in the comments section: e.g. "><body onLoad=confirm("XSS")> The vulnerability exists because the user input is not properly sanitized and this can lead to malicious code injection that will be executed on the target?s browser -- Proof of Concept -- 1. The attacker posts a new comment which contains our payload: "><body onLoad=confirm("XSS")> 2. The stored XSS can be triggered when any user visits the link of the uploaded content -- Solution -- The vendor has fixed the issue in the version 4.21

References:

https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top