vendor:
Ez Poll Hoster
by:
Milos Zivanovic
7.5
CVSS
HIGH
Multiple XSS and XSRF Vulnerabilities
79,352
CWE
Product Name: Ez Poll Hoster
Affected Version From: the only one there is
Affected Version To: the only one there is
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2009
Ez Poll Hoster Multiple XSS and XSRF Vulnerabilities
Ez Poll Hoster is vulnerable to multiple XSS and XSRF vulnerabilities. In the user panel, an attacker can inject malicious JavaScript code in the 'pid' parameter of the 'index.php' page. Additionally, an attacker can delete a poll by providing the poll name in the 'pid' parameter of the 'delete_poll' page. In the admin panel, an attacker can inject malicious JavaScript code in the 'uid' parameter of the 'profile.php' page. An attacker can also delete a user by providing the user name in the 'uid' parameter of the 'manage' page. Furthermore, an attacker can send an email to all users by accessing the 'email' page.
Mitigation:
Input validation should be used to prevent XSS and XSRF attacks.