Multiple Vulnerabilities in phpWebSite

vendor:

phpWebSite

by:

7.5

CVSS

HIGH

Cross-Site Scripting (XSS), HTML Injection, SQL Injection

79, 89, 352

CWE

Product Name: phpWebSite

Affected Version From: 0.9.3-4

Affected Version To: 0.9.3-4

Patch Exists: NO

Related CWE:

CPE: a:phpwebsite:phpwebsite:0.9.3-4

Metasploit:

Other Scripts:

Platforms Tested:

Multiple Vulnerabilities in phpWebSite

The phpWebSite application is vulnerable to multiple cross-site scripting, HTML injection, and SQL injection vulnerabilities. The cross-site scripting vulnerability exists in the comments module script, allowing an attacker to execute malicious HTML and script code in the context of a vulnerable user. The SQL injection vulnerability affects the calendar module script, enabling a remote attacker to disclose sensitive information. Additionally, the application is prone to HTML injection in the notes module due to inadequate sanitization of user-supplied data. Attackers can exploit this vulnerability to manipulate web content, perform unauthorized actions on the site, or steal authentication credentials.

Mitigation:

To mitigate these vulnerabilities, it is recommended to update to a patched version of phpWebSite. Additionally, input validation and sanitization should be implemented to prevent cross-site scripting, HTML injection, and SQL injection attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/11088/info

It is reported that phpWebSite is susceptible to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities.

The cross-site scripting issue is present in a parameter of the comments module script. An attacker can exploit these issues by creating a malicious link to the vulnerable module containing HTML and script code and send this link to a vulnerable user. When the user follows the link, the attacker-supplied code renders in the user's browser.

An SQL injection issue exists in the application as well. This issue affects a parameter of the calendar module script. This issue may be exploited to cause sensitive information to be disclosed to a remote attacker.

Finally, a HTML Injection vulnerability is reported to affect the application. The problem is said to occur in the notes module due to a lack of sufficient sanitization performed on user supplied data.

Attackers may potentially exploit this issue to manipulate web content, take unauthorized site actions in the context of the victim, or to steal cookie-based authentication credentials.

These vulnerabilities were reported in phpWebsite 0.9.3-4, previous versions are also reported to be vulnerable.

/index.php?module=comments&CM_op=replyToComment&CM_pid=1[XSS]