Spyce Multiple Input-Validation Vulnerabilities

vendor:

Spyce

by:

SecurityFocus

7.5

CVSS

HIGH

Information Disclosure and Client-Side Script Execution

CWE

Product Name: Spyce

Affected Version From: 2.1.2003

Affected Version To: 2.1.2003

Patch Exists: YES

Related CWE: N/A

CPE: spyce

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Spyce Multiple Input-Validation Vulnerabilities

Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path by requesting the URL http://www.example.com/spyce/examples/automaton.spy?_spyce_debug=1

Mitigation:

Users should upgrade to the latest version of Spyce. Additionally, users should ensure that input is properly sanitized and validated before being used.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/27898/info
     
Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
     
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
     
The issues affect Spyce 2.1.3; other versions may also be vulnerable. 

Requesting the following URL returns the server's webroot:
http://www.example.com/spyce/examples/automaton.spy