Cross-Site Scripting Vulnerability in OpenNewsletter

vendor:

OpenNewsletter

by:

Unknown

5.5

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: OpenNewsletter

Affected Version From: OpenNewsletter 2.5

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: a:opennewsletter_project:opennewsletter:2.5

Metasploit:

Other Scripts:

Platforms Tested:

2007

Cross-Site Scripting Vulnerability in OpenNewsletter

The OpenNewsletter application fails to properly sanitize user-supplied input, allowing an attacker to execute arbitrary script code in the browser of an unsuspecting user. This can lead to the theft of authentication credentials and other malicious activities.

Mitigation:

To mitigate this vulnerability, it is recommended to implement input validation and sanitization techniques to ensure that user-supplied data is properly handled and rendered in the browser. Additionally, web application firewalls can be used to detect and block malicious input.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/26745/info

OpenNewsletter is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

OpenNewsletter 2.5 is vulnerable; other versions may also be affected. 

http://www.example.com/path/to/opennewsletter/compose.php?type=html'%3Ch1%3EXSS!%3C/h1%3E http://www.example.com/path/to/opennewsletter/compose.php?type=';%3CSCRIPT%3Ealert(String.fromCharCode(88,%2083,%2083,%2032,%2058,%2040))//\';%3C/script%3E