vendor:
PHPFox
by:
Wesley Henrique Leite aka "spyk2r"
7.5
CVSS
HIGH
Cross-Site Scripting (XSS)
79
CWE
Product Name: PHPFox
Affected Version From: All versions
Affected Version To: Not provided
Patch Exists: YES
Related CWE: CVE-2014-8469
CPE: a:moxi9:phpfox
Platforms Tested:
2014
PHPFox XSS AdminCP
The PHPFox admin control panel (AdminCP) is vulnerable to a cross-site scripting (XSS) attack. The vulnerability allows an attacker to inject malicious scripts into the user_agent field of the phpfox_log_session table, which is displayed in the AdminCP's Online Guests/Boots page. An attacker with administrative access can exploit this vulnerability to execute arbitrary scripts in the administrative area of the PHPFox website.
Mitigation:
The vendor fixed the vulnerability on October 23, 2014, with the release of PHPFox v4 Beta. Users should update to the latest version of PHPFox to mitigate this vulnerability.