Advanced Guestbook Multiple Cross-Site Scripting Vulnerabilities

vendor:

Advanced Guestbook

by:

Unknown

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: Advanced Guestbook

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: a:advanced_guestbook:advanced_guestbook

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

Advanced Guestbook Multiple Cross-Site Scripting Vulnerabilities

The Advanced Guestbook application is vulnerable to multiple cross-site scripting (XSS) vulnerabilities due to inadequate input sanitization. An attacker can exploit these vulnerabilities by injecting arbitrary script code into user-supplied input. This can lead to the execution of malicious scripts in the context of the affected site, potentially allowing the attacker to steal authentication credentials and launch further attacks.

Mitigation:

To mitigate these vulnerabilities, it is recommended to update the Advanced Guestbook application to a version that properly sanitizes user input. Additionally, it is advised to validate and sanitize user-supplied input on the server-side to prevent XSS attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15927/info

Advanced Guestbook is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/guestbook/index.php?entry=<script>alert(document.cookie);</script>
http://www.example.com/guestbook/index.php?entry=<iframesrc=http://www.example.com/>

http://www.example.com/guestbook/comment.php?gb_id=1<script>alert(document.cookie);</script>
http://www.example.com/guestbook/comment.php?gb_id=1<IFRAMESRC="javascript:alert('XSS');"></IFRAME>