vendor:
Flyspray
by:
SecurityFocus
7.5
CVSS
HIGH
Information Disclosure, HTML Injection, Cross-Site Scripting
79, 80, 79, 79, 79, 79, 79, 79
CWE
Product Name: Flyspray
Affected Version From: 2000.9.9
Affected Version To: 0.9.9.4
Patch Exists: YES
Related CWE: N/A
CPE: a:flyspray:flyspray
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
Flyspray Multiple Vulnerabilities
Flyspray is prone to an information-disclosure issue, an HTML-injection issue, and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues determine valid usernames and passwords via brute-force attacks or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to dynamically generate HTML or JavaScript code.