STPHP EasyNews Pro Unspecified Script HTML Injection Vulnerability
TITLE: STPHP EasyNews Pro Unspecified Script HTML Injection Vulnerability
CLASS: Input Validation Error
CVE:
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 19 2007 12:00AM
UPDATE: Jun 19 2007 12:00AM
CREDIT: tHe cReW n0 c0ntend3rs <h4xorcr3w@hotmail.com> are credited with the discovery of this vulnerability.
VULNERABLE:
EasyNews Pro EasyNews Pro 4.0NOT VULNERABLE:
Vai alla pagina originale su Security Focus
Discussion
STphp EasyNews Pro is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
Version 4.0 is vulnerable; other versions may also be affected.
Exploit
Attackers can exploit this issue via a web client.
Solution
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.
References
References:
- Script Download Page (STphp)