WEBIGniter v28.7.23 XSS

vendor:

WEBIGniter

by:

RedTeamer IT Security, Mesut Cetin

4.1

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: WEBIGniter

Affected Version From: v28.7.23

Affected Version To: v28.7.23

Patch Exists: NO

Related CWE:

CPE: a:webigniter:webigniter:28.7.23

Metasploit:

Other Scripts:

Platforms Tested:

2023

The 'your_name' parameter in WEBIGniter v28.7.23 lacks proper input validation, leading to a vulnerability where an attacker can execute malicious JavaScript code by injecting it into the parameter. This can result in reflected cross-site scripting (XSS) attacks, potentially compromising user data and system integrity.

Mitigation:

To mitigate this vulnerability, it is crucial to implement thorough input validation and encoding for the 'your_name' parameter. This ensures that any user input is properly sanitized to prevent the execution of malicious code.

Source

Exploit-DB raw data:

## Title: WEBIGniter v28.7.23 XSS
## Author: RedTeamer IT Security, Mesut Cetin
## Date: 09/04/2023
## Vendor: https://webigniter.net/
## Software: https://webigniter.net/demo
## Reference: https://portswigger.net/web-security/cross-site-scripting/stored

## Description:
During the user creation process, the 'your_name' parameter fails to adequately validate user input, rendering the system vulnerable to reflected cross-site scripting (XSS) attacks.

## PoC
To exploit this vulnerability, an attacker can inject malicious JavaScript code into the "your_name" parameter under https://webigniter.net/create-account during the user creation process. This code, when embedded within an image tag like this: <img src onerror="prompt(8)">, can be executed when the user navigates to the "users" page under their profile.

## Mitigation
To mitigate this risk, the "your_name" parameter should be subjected to rigorous input validation and encoding to ensure that all user input is sanitized and rendered harmless.