WebChat Cross-Site Scripting Vulnerability

vendor:

WebChat

by:

SecurityFocus

4.3

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: WebChat

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE: N/A

CPE: a:webchat:webchat:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

WebChat Cross-Site Scripting Vulnerability

WebChat does not adequately filter script code from URI parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to the WebChat 'users.php' script. This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users. Other attacks are also possible.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized before being used in the application.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7779/info

WebChat has been reported prone to a cross-site scripting vulnerability.

WebChat does not adequately filter script code from URI parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to the WebChat 'users.php' script.

This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users. Other attacks are also possible.

This vulnerability was reported to affect WebChat version 2.0 other versions may also be affected. 

http://www.example.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username="><script>alert(document.cookie);</script>