vendor:
sNews
by:
Not specified
5.5
CVSS
MEDIUM
Cross-Site Scripting, HTML-Injection
79
CWE
Product Name: sNews
Affected Version From: 1.7
Affected Version To: Unknown
Patch Exists: NO
Related CWE: Not specified
CPE: a:snews:snews:1.7
Platforms Tested:
2010
sNews Cross-Site Scripting and HTML-Injection Vulnerabilities
sNews is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Mitigation:
To mitigate these vulnerabilities, ensure that all user-supplied input is properly sanitized and validated before being used in dynamically generated content. Implementing a strict input validation mechanism can help prevent these types of vulnerabilities.