Lucene search
High-Tech BridgeHTB23110HistoryAug 15, 2012 - 12:00 a.m.
Cross-Site Scripting (XSS) Vulnerabilities in Flogr
2012-08-1500:00:00
High-Tech Bridge
www.htbridge.com
31
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.032 Low
EPSS
Percentile
90.2%
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Flogr, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
- Cross-Site Scripting (XSS) Vulnerabilities in Flogr: CVE-2012-4336
Input appended to the URL after /index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected website.
The following PoC demonstrates the vulnerability:
http://[host]/index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/scr ipt%3E/
Successful exploitation of this vulnerability requires that Apache’s directive “AcceptPathInfo” is set to “on” or “default” (default value is “default”)
Second PoC* demonstrates that any HTTP GET parameter is also vulnerable to XSS:
http://[host]/index.php?[any]=%22%3E%3Cscript%3Ealert%28document.cookie%29;% 3C/script%3E
- Independently reported XSS in the “tag” GET parameter by LABORATORY RESEARCH TEAM (http://www.vulnerability-lab.com/get_content.php?id=656).
Related
securityvulns
securityvulns
Cross-Site Scripting (XSS) Vulnerabilities in Flogr
2012-09-07 00:00:00
packetstorm
packetstorm
Flogr 2.5.6 Cross Site Scripting
2012-09-06 00:00:00
cve
cve
CVE-2012-4336
2012-09-15 17:55:00
cvelist
cvelist
CVE-2012-4336
2012-09-15 17:00:00
prion
prion
Cross site scripting
2012-09-15 17:55:00
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.032 Low
EPSS
Percentile
90.2%
Related for HTB23110