High-Tech Bridge SA Security Research Lab has discovered vulnerability in osCSS which could be exploited to perform cross-site scripting attacks.
- Cross-site scripting (XSS) vulnerability in osCSS: CVE-2010-2856
The vulnerability exists due to input sanitation error in the “page” parameter in admin/currencies.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim has access to administrative interface.
Exploitation example:
http://example.com/admin/currencies.php?page=1"><script>alert(document.cooki e)</script>&cID=1