vendor:
123 Flash Chat
by:
SecurityFocus
7.5
CVSS
HIGH
Arbitrary Code Injection
94
CWE
Product Name: 123 Flash Chat
Affected Version From: 5.1 and prior versions
Affected Version To: 5.1 and prior versions
Patch Exists: YES
Related CWE: N/A
CPE: a:123flashchat:123_flash_chat
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005
123 Flash Chat Arbitrary Code Injection Vulnerability
123 Flash Chat is prone to an arbitrary code injection weakness. An attacker can influence the value of a variable that is insecurely passed to an 'eval()' call. Successful exploitation may allow attackers to take complete control of the application and potentially carry out other attacks against the vulnerable server hosting the client, including remote unauthorized access. Exploitation of this vulnerability likely depends on the existence of other content injection issues in the site hosting the application. An attacker would exploit other input validation vulnerabilities such as HTML injection or cross-site scripting to supply the malicious value for a variable.
Mitigation:
Input validation should be used to ensure that user-supplied data is properly sanitized and filtered.
