header-logo
Suggest Exploit
vendor:
OpenBB
by:
SecurityFocus
7.5
CVSS
HIGH
Script Injection
79
CWE
Product Name: OpenBB
Affected Version From: OpenBB 1.0
Affected Version To: OpenBB 1.0.2
Patch Exists: YES
Related CWE: N/A
CPE: a:openbb:openbb:1.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, Unix, Windows
2002

OpenBB Image Tag Script Injection Vulnerability

OpenBB is web forum software written in PHP. It is possible to inject arbitrary script code into forum messages via image tags. Script code will be executed in the browser of the user viewing the forum message, in the context of the website running the vulnerable software. This may allow an attacker to steal cookie-based authentication credentials.

Mitigation:

Input validation should be used to ensure that user-supplied data does not contain malicious script code.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4171/info

OpenBB is web forum software written in PHP. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

OpenBB allows users to include images in forum messages using image tags, with the following syntax:

[img]url of image[/img]

It is possible to inject arbitrary script code into forum messages via these image tags. Script code will be executed in the browser of the user viewing the forum message, in the context of the website running the vulnerable software. This may allow an attacker to steal cookie-based authentication credentials.

[img]javasCript:alert('Hello world.')[/img]

Navigation

Suggest Exploit

Services By CQR