vendor:
Image Upload Script
by:
SecurityFocus
7,5
CVSS
HIGH
Cross-Site Scripting and Information Disclosure
79
CWE
Product Name: Image Upload Script
Affected Version From: 1.91
Affected Version To: 1.91
Patch Exists: YES
Related CWE: N/A
CPE: chevereto_nb1.91
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012
Chevereto Image Upload Script Cross-Site Scripting and Information Disclosure Vulnerabilities
Chevereto Image Upload Script is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. An attacker may leverage the information-disclosure issue to enumerate the existence of local files. Information obtained may aid in further attacks.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to generate dynamic content.
