OpenBB HTML Injection Vulnerability

vendor:

OpenBB

by:

5.5

CVSS

MEDIUM

HTML Injection

CWE

Product Name: OpenBB

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Linux, Unix, Windows

OpenBB HTML Injection Vulnerability

OpenBB is vulnerable to HTML injection attacks when HTML code is replaced with BBCodes. This allows an attacker to inject arbitrary HTML code into forum messages, leading to cross-site scripting (XSS) attacks and potential theft of cookie-based authentication credentials.

Mitigation:

To mitigate this vulnerability, it is recommended to properly sanitize user input and validate HTML code before displaying it on the forum. Additionally, implementing a Content Security Policy (CSP) can help prevent XSS attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4819/info

OpenBB is web forum software written in PHP. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

OpenBB is reportedly vulnerable to HTML injection attacks. The vulnerability occurs when HTML code is replaced with BBCodes.

OpenBB uses 'BBCodes' in the place of HTML code to include images, links etc. However, HTML tags are not adequately replaced from with BBCodes. It is possible to inject arbitrary HTML code into forum messages. As a result, OpenBB is prone to cross-agent scripting attacks. Script code will be executed in the browser of the user viewing the forum message and may allow an attacker to steal cookie-based authentication credentials. 

[ img]http:// " onerror="ANYSCRIPT"[/img ]