HTML Injection Vulnerability in Sympa

vendor:

Sympa

by:

SecurityFocus

7.5

CVSS

HIGH

HTML Injection

CWE

Product Name: Sympa

Affected Version From: 4.1

Affected Version To: 4.1.x

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2004

HTML Injection Vulnerability in Sympa

An HTML injection vulnerability is reported in Sympa. The problem occurs due to a failure of the application to properly sanitize user-supplied input data. Unsuspecting users viewing the affected page will have attacker-supplied malicious code interpreted by their browser in the security context of the website hosting Sympa. Attackers may potentially exploit this issue to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

Mitigation:

Input validation should be used to ensure that user-supplied data does not contain malicious HTML or script code.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10992/info

An HTML injection vulnerability is reported in Sympa. The problem occurs due to a failure of the application to properly sanitize user-supplied input data.

Unsuspecting users viewing the affected page will have attacker-supplied malicious code interpreted by their browser in the security context of the website hosting Sympa.

Attackers may potentially exploit this issue to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

Versions 4.1, and all 4.1.x releases are reported vulnerable to this issue. 

Whatever_you_want<script>alert("Your cookie is " + document.cookie)</script>