Vulnerabilities in jforum 2.1.9 was reported today by High-Tech Bridge Security Research Lab, which can be exploited to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. Proof-of-Concept (PoC) examples available on advisory page.
Cross-site scripting (XSS) vulnerabilities in jforum exists due to insufficient filtration of user-supplied input in "start" HTTP POST parameter in "jforum.page", "action" HTTP POST parameter in "jforum.page", "returnUrl", "forum_id" and "topic_id" HTTP POST parameters in "jforum.page" scripts.
CSRF (cross-site request forgery) in jforum exists due to insufficient verification of the HTTP request origin in "jforum.page" script. PoC available on advisory page.
Related links:
No comments:
Post a Comment