header-logo
Suggest Exploit
vendor:
Vanilla Version 2.0.18.4 + Vanilla kPoll 1.2
by:
Henry Hoggard
8,8
CVSS
HIGH
Stored XSS
79
CWE
Product Name: Vanilla Version 2.0.18.4 + Vanilla kPoll 1.2
Affected Version From: Vanilla Version 2.0.18.4 + Vanilla kPoll 1.2
Affected Version To: Vanilla Version 2.0.18.4 + Vanilla kPoll 1.2
Patch Exists: YES
Related CWE: N/A
CPE: Vanillaforums.org/download
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012

Vanilla kPoll 1.2 Stored XSS

Vanilla kPoll 1.2 is vulnerable to stored XSS. An attacker can inject malicious JavaScript code into the poll title field, which is then stored in the database and executed when the poll is viewed. The XSS I used is <script>alert('xss')</script>

Mitigation:

Input validation should be used to prevent malicious code from being stored in the database.
Source

Exploit-DB raw data:

# Title: Vanilla kPoll 1.2 Stored XSS
# Date: 5/6/12
# Author: Henry Hoggard
# Author URL: henryhoggard.co.uk
# Author Twitter: @henryhoggard
# Software: Vanilla Version 2.0.18.4 + Vanilla kPoll 1.2
# http://vanillaforums.org/download
# http://vanillaforums.org/addon/kpoll-plugin

To Create the XSS go to this link,

http://vanilla.tld/index.php?p=/plugin/kPoll

Post your XSS as the poll title.

The XSS I used is
<script>alert('xss')</script>

#############################################################

Navigation

Suggest Exploit

Services By CQR