vendor:
ArbitroWeb
by:
7.5
CVSS
HIGH
Cross-Site Scripting
79
CWE
Product Name: ArbitroWeb
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
ArbitroWeb Cross-Site Scripting Vulnerability
ArbitroWeb is susceptible to a cross-site scripting vulnerability in its rawURL URI parameter. The URI parameter passed to 'index.php' called 'rawURL' contains the desired target for the proxy to connect to. This parameter is improperly sanitized, and may be used in a cross-site scripting attack. An attacker may craft a URI that contains malicious HTML or script code. If a victim user follows this link, the HTML contained in the affected URI parameter will be executed in the context of the vulnerable site. The attacker could use this vulnerability to steal cookie-based authentication credentials, or perform other types of attacks.
Mitigation:
Properly sanitize user input in the rawURL URI parameter to prevent cross-site scripting attacks. Implement input validation and output encoding to ensure that any user-supplied data is properly handled and does not execute as code.