vendor:
Ez Faq Maker
by:
Milos Zivanovic
8.8
CVSS
HIGH
XSS And Multiple XSRF Vulnerabilities
79, 352
CWE
Product Name: Ez Faq Maker
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:scriptsez:ez_faq_maker
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2009
Ez Faq Maker Multiple Vulnerabilities
The Ez Faq Maker application version 1.0 is vulnerable to XSS and multiple XSRF vulnerabilities. The XSS vulnerability exists in the front end of the application, where an attacker can inject malicious JavaScript code into the 'sid' parameter of the 'index.php' page. The multiple XSRF vulnerabilities exist in the admin panel, where an attacker can delete a category or FAQ by sending a malicious request to the 'admin.php' page. Additionally, the application does not have any protection against changing the admin info.
Mitigation:
Developers should ensure that user input is properly sanitized and validated before being used in the application. Additionally, developers should implement proper authentication and authorization mechanisms to protect against XSRF attacks.