High-Tech Bridge SA Security Research Lab has discovered vulnerability in Prado Portal which could be exploited to perform cross-site scripting attacks.
- Cross-site scripting (XSS) vulnerability in Prado Portal: CVE-2010-4958
The vulnerability exists due to input sanitation error in the “page” parameter in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://host/index.php?page=x<img+src%3Dx+onerror%3Dalert(document.cookie)>