header-logo
Suggest Exploit
vendor:
BBCode
by:
SecurityFocus
7.5
CVSS
HIGH
HTML Injection
79
CWE
Product Name: BBCode
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

phpBB BBCode HTML Injection Vulnerability

It has been reported that an attacker may inject malicious script into areas of phpBB where BBCode is rendered, for example, bulletin board posts or private messages. This issue is due to a lack of sufficient sanitization performed on user supplied URL BBCode tags. An attacker may exploit this issue to steal cookie-based authentication credentials; other attacks may also be possible.

Mitigation:

Input validation should be used to ensure that user supplied data does not contain malicious HTML or script code.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/8570/info


phpBB BBCode has been reported prone to an HTML injection vulnerability. It has been reported that an attacker may inject malicious script into areas of phpBB where BBCode is rendered, for example, bulletin board posts or private messages. This issue is due to a lack of sufficient sanitization performed on user supplied URL BBCode tags.

An attacker may exploit this issue to steal cookie-based authentication credentials; other attacks may also be possible. 

[url=http://www.example.com" onclick="alert('Hello')]text[/url]

[url=http://www.example.com" onclick=alert("bug");"]test[/url]

Navigation

Suggest Exploit

Services By CQR