vendor:
Guestbook
by:
SecurityFocus
7.5
CVSS
HIGH
HTML Injection
79
CWE
Product Name: Guestbook
Affected Version From: 1
Affected Version To: 2.2
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005
Skull-Splitter Guestbook HTML Injection Vulnerabilities
Skull-Splitter Guestbook is prone to multiple HTML injection vulnerabilities. It is possible to inject HTML and script code into the title and content of posted messages. The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user, other attacks are also possible. A victim user who views the vulnerable sections of the site would have the attacker-supplied HTML and script code execute in the security context of the affected site.
Mitigation:
Input validation should be used to ensure that user-supplied data does not contain malicious HTML or script code.
