vendor:
YaBB
by:
SecurityFocus
8.8
CVSS
HIGH
Cross-Agent Scripting
79
CWE
Product Name: YaBB
Affected Version From: YaBB 1.4.2
Affected Version To: YaBB 1.4.2
Patch Exists: No
Related CWE: N/A
CPE: a:yabb:yabb
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Unix/Linux variants, MacOS, and Microsoft Windows 9x/ME/NT/2000/XP
2002
YaBB Cross-Agent Scripting Vulnerability
YaBB is prone to cross-agent scripting attacks via the insertion of HTML tags into image links in messages. Due to insufficient input validation, it is possible to insert arbitrary script code in forum messages/replies. The malicious script code will be executed in the browser of the user viewing the message, in the context of the site running YaBB. This makes it possible for a malicious user to post a message which is capable of stealing another legitimate user's cookie-based authentication credentials.
Mitigation:
Input validation should be used to ensure that user-supplied data is properly sanitized.
