header-logo
Suggest Exploit
vendor:
Chat Server
by:
Unknown
4.3
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: Chat Server
Affected Version From: 2.9
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:12Planet:Chat_Server
Metasploit:
Other Scripts:
Platforms Tested: Unknown
2004

12Planet Chat Server Cross-Site Scripting Vulnerability

The 12Planet Chat Server is vulnerable to a cross-site scripting (XSS) vulnerability due to a lack of input sanitization. An attacker can exploit this by injecting malicious HTML or script code into a URI argument to one of the servlets in the application. If a user follows a malicious link, the injected code will be rendered in their web browser, allowing the attacker to steal authentication credentials or perform other attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input sanitization and validation techniques on the server-side to prevent the execution of malicious code. Additionally, user input should be encoded or escaped before being rendered in HTML to prevent XSS attacks.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10659/info

It is reported that 12Planet Chat Server is prone to a cross-site scripting vulnerability. This issue is due to a lack of sanitization of user-supplied data.

The problem presents itself when malicious HTML or script code is passed in a URI argument to one of the servlets in the application.

A remote attacker can exploit this issue by creating a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed by an unsuspecting user, the hostile code may be rendered in the their web browser. This would occur in the security context of the web server and may allow for theft of cookie-based authentication credentials or other attacks.

Although version 2.9 of the software was reported vulnerable, other versions may also be affected.

http://www.example.com:8080/servlet/one2planet.infolet.InfoServlet?page=<script>alert("hy")</script>

Navigation

Suggest Exploit

Services By CQR

cqrsecured