web@all version 2.0, downloaded before 30th of May 2012, suffers from cross-site request forgery (CSRF), cross site scripting (XSS) vulnerabilities:
1. Сross-Site Request Forgery (CSRF): The application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests.
2. Cross-Site Scripting (XSS): Input passed via the "_text[title]" GET parameter to "search.php" script is not properly sanitised before being returned to the user.
Vulnerability ID: HTB23094
Vendor Notification / Patch / Public Disclosure Dates: 30 May / 30 May / 20 June
Vulnerabilities Type: CSRF, XSS
Risk level: Medium
Solution Status: Fixed by Vendor, upgrade to the latest version of web@all
Read full information, details and Proof of Concept (PoC) for this advisory: High-Tech Bridge Advisory HTB23094: Multiple vulnerabilities in web@all.
No comments:
Post a Comment