vendor:
Shoutbox
by:
SKuLL-HacKeR
9.3
CVSS
HIGH
Cross-site Scripting (XSS)
79
CWE
Product Name: Shoutbox
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:plohni:shoutbox:1.0
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020
Shoutbox 1.0 HTML / Xss inejction exploit
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'names' and 'shouts' parameters to the '/Shoutbox/index.php' script. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to dynamically generate HTML or JavaScript code. It is also recommended to use a whitelist of allowed characters and to escape all other characters.