DCP-Portal Multiple Cross-Site Scripting Vulnerabilities

vendor:

DCP-Portal

by:

5.5

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: DCP-Portal

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

DCP-Portal Multiple Cross-Site Scripting Vulnerabilities

DCP-Portal is prone to multiple cross-site scripting vulnerabilities. The vulnerabilities exist because the application fails to properly sanitize user-supplied input. An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI that contains arbitrary script code. The attacker-supplied script code may execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and launch other attacks.

Mitigation:

To mitigate these vulnerabilities, it is recommended to sanitize user-supplied input before using it in dynamically generated web pages or scripts. Implementing proper input validation and output encoding can help prevent cross-site scripting attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/11338/info

DCP-Portal is reported prone to multiple cross-site scripting vulnerabilities. It is reported that DCP-Portal does not sufficiently filter URI parameters supplied to several scripts.

Because of this deficiency, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of a legitimate user if the link is followed. The script code contained in the URI parameter will be executed in the context of the vulnerable website.

This may allow for theft of cookie-based authentication credentials and other attacks.

http://www.example.com/calendar.php?year=2004&month=[XSS code here]&day=01
http://www.example.com/calendar.php?year=2004&month=09&day=[XSS code here]