vendor:
Simplog
by:
Amol Naik
8.8
CVSS
HIGH
Persistent Cross-site Scripting, Cross Site Request Forgery, Edit/Delete Comments (Bypassing Authorization)
79,352,285
CWE
Product Name: Simplog
Affected Version From: 0.9.3.2
Affected Version To: 0.9.3.2
Patch Exists: NO
Related CWE: N/A
CPE: a:simplog:simplog:0.9.3.2
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009
Multiple Vulnerabilities in Simplog v0.9.3.2
When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in 'Name' & 'Email' parameters due to improper sanitization of the user inputs. This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well. It is possible to edit/delete comments without proper authorization.
Mitigation:
Ensure that user input is properly sanitized and validated. Implement proper authorization checks for editing/deleting comments.