WiredRed e/pop Conference Topic Name XSS

2006-02-08T18:35:43
ID OSVDB:22997
Type osvdb
Reporter Adrian Castro(acastro@linuxquestions.net)
Modified 2006-02-08T18:35:43

Description

Vulnerability Description

WiredRed e/pop Conferencing software contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the topic name upon submission to the public or private conference. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

WiredRed e/pop Conferencing software contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the topic name upon submission to the public or private conference. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.wiredred.com Secunia Advisory ID:18753 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0122.html ISS X-Force ID: 24609 FrSIRT Advisory: ADV-2006-0505 CVE-2006-0643 Bugtraq ID: 16542