Swiki 1.5 Multiple Cross-Site Scripting Vulnerabilities

2008-04-08T00:00:00
ID SECURITYVULNS:DOC:19585
Type securityvulns
Reporter Securityvulns
Modified 2008-04-08T00:00:00

Description

Title: Swiki 1.5 Multiple Cross-Site Scripting Vulnerabilities Vendor URL: http://wiki.squeak.org/swiki Vendor Contacted: Yes

Description: Multiple stored and reflective cross-site scripting vulnerabilities were identified in Swiki 1.5.

Reflective (example): http://[host]:8000/<script>alert("XSS");</script>

Stored (example): On posts to 1.append when adding new entries into the wiki, the application does not properly escape javascript code resulting in a stored cross-site scripting attack.

Credit: Brad Antoniewicz brad.antoniewicz@foundstone.com