SMW+ HTML-injection Vulnerability

vendor:

SMW+

by:

SecurityFocus

7,5

CVSS

HIGH

HTML-injection

CWE

Product Name: SMW+

Affected Version From: SMW+ 1.5.6

Affected Version To: SMW+ 1.5.6

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

SMW+ HTML-injection Vulnerability

SMW+ is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code can run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to generate HTML output without validation and escaping.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/51980/info

SMW+ is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code can run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

SMW+ 1.5.6 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php/Special:FormEdit?target=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F\%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F&categories=Calendar+