header-logo
Suggest Exploit
vendor:
Spyce
by:
SecurityFocus
7.5
CVSS
HIGH
Information Disclosure and Client-Side Script Execution
20
CWE
Product Name: Spyce
Affected Version From: 2.1.2003
Affected Version To: 2.1.2003
Patch Exists: YES
Related CWE: N/A
CPE: spyce
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Spyce Multiple Input-Validation Vulnerabilities

Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path by requesting the URL http://www.example.com/spyce/examples/automaton.spy?_spyce_debug=1

Mitigation:

Users should upgrade to the latest version of Spyce. Additionally, users should ensure that input is properly sanitized and validated before being used.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/27898/info
     
Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
     
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
     
The issues affect Spyce 2.1.3; other versions may also be vulnerable. 

Requesting the following URL returns the server's webroot:
http://www.example.com/spyce/examples/automaton.spy

Navigation

Suggest Exploit

Services By CQR