source: http://www.securityfocus.com/bid/27876/info
Jinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.
Jinzora 2.7.5 is vulnerable; other versions may also be affected.
http://www.example.com/[installdir]/ajax_request.php?language=<IMG SRC="javascript:alert('DSecRG XSS')">
{"id": "EDB-ID:31236", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Jinzora 2.7.5 ajax_request.php Multiple Parameter XSS", "description": "Jinzora 2.7.5 ajax_request.php Multiple Parameter XSS. CVE-2008-0877. Webapps exploit for php platform", "published": "2008-02-19T00:00:00", "modified": "2008-02-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/31236/", "reporter": "Alexandr Polyakov", "references": [], "cvelist": ["CVE-2008-0877"], "lastseen": "2016-02-03T14:10:37", "viewCount": 2, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2016-02-03T14:10:37", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-0877"]}, {"type": "exploitdb", "idList": ["EDB-ID:31238", "EDB-ID:31237", "EDB-ID:31235"]}], "modified": "2016-02-03T14:10:37", "rev": 2}, "vulnersScore": 4.5}, "sourceHref": "https://www.exploit-db.com/download/31236/", "sourceData": "source: http://www.securityfocus.com/bid/27876/info\r\n \r\nJinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.\r\n \r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.\r\n \r\nJinzora 2.7.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/[installdir]/ajax_request.php?language=<IMG SRC=\"javascript:alert('DSecRG XSS')\">", "osvdbidlist": ["42948"]}
{"cve": [{"lastseen": "2020-10-03T11:50:57", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Jinzora Media Jukebox 2.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) frontend, (2) set_frontend, (3) jz_path, (4) theme, and (5) set_theme parameters to (a) index.php; the frontend, theme, and (6) language parameters to (b) ajax_request.php; the jz_path parameter to (c) slim.php; the frontend, theme, and jz_path parameters to (d) popup.php; the (13) PATH_INFO to index.php and (e) slim.php; and the (14) query parameter in a playlistedit action and (15) siteNewsData parameter in a sitenews action to (f) popup.php.\nDuring analysis additional information was found for this vulnerability.\r\n\r\nhttp://www.securityfocus.com/bid/27876/info", "edition": 3, "cvss3": {}, "published": "2008-02-21T19:44:00", "title": "CVE-2008-0877", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-0877"], "modified": "2018-10-15T22:03:00", "cpe": ["cpe:/a:jinzora:media_jukebox:2.7.5"], "id": "CVE-2008-0877", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0877", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:jinzora:media_jukebox:2.7.5:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-03T14:10:30", "description": "Jinzora 2.7.5 index.php Multiple Parameter XSS. CVE-2008-0877. Webapps exploit for php platform", "published": "2008-02-19T00:00:00", "type": "exploitdb", "title": "Jinzora 2.7.5 index.php Multiple Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0877"], "modified": "2008-02-19T00:00:00", "id": "EDB-ID:31235", "href": "https://www.exploit-db.com/exploits/31235/", "sourceData": "source: http://www.securityfocus.com/bid/27876/info\r\n\r\nJinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.\r\n\r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.\r\n\r\nJinzora 2.7.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/[installdir]/index.php?frontend=<IMG SRC=\"javascript:alert('DSecRG XSS')\">\r\nhttp://www.example.com/[installdir]/index.php/\"><script>alert('DSecRG XSS')</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/31235/"}, {"lastseen": "2016-02-03T14:10:44", "description": "Jinzora 2.7.5 slim.php Multiple Parameter XSS. CVE-2008-0877. Webapps exploit for php platform", "published": "2008-02-19T00:00:00", "type": "exploitdb", "title": "Jinzora 2.7.5 slim.php Multiple Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0877"], "modified": "2008-02-19T00:00:00", "id": "EDB-ID:31237", "href": "https://www.exploit-db.com/exploits/31237/", "sourceData": "source: http://www.securityfocus.com/bid/27876/info\r\n \r\nJinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.\r\n \r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.\r\n \r\nJinzora 2.7.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/[installdir]/slim.php?jz_path=<IMG SRC=\"javascript:alert('DSecRG XSS')\">", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/31237/"}, {"lastseen": "2016-02-03T14:10:51", "description": "Jinzora 2.7.5 popup.php Multiple Parameter XSS. CVE-2008-0877. Webapps exploit for php platform", "published": "2008-02-19T00:00:00", "type": "exploitdb", "title": "Jinzora 2.7.5 popup.php Multiple Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0877"], "modified": "2008-02-19T00:00:00", "id": "EDB-ID:31238", "href": "https://www.exploit-db.com/exploits/31238/", "sourceData": "source: http://www.securityfocus.com/bid/27876/info\r\n \r\nJinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.\r\n \r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.\r\n \r\nJinzora 2.7.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/[installdir]/popup.php?ptype=sitenew&siteNewsData = </textarea><script>alert('DSecRG XSS')</script>\r\nhttp://www.example.com/[installdir]/popup.php?ptype=playlistedit&query = <script>alert('DSecRG XSS')</script>\r\nhttp://www.example.com/[installdir]/popup.php?theme=<IMG SRC=\"javascript:alert('DSecRG XSS')\">", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/31238/"}]}
