Xaraya version 2.4.0-b1 suffer from cross-site scripting [CWE-79] vulnerabilities.
High-Tech Bridge Security Research Lab discovered four XSS vulnerabilities in Xaraya, which can be exploited to perform cross-site scripting attacks against administrators of vulnerable application.
This issues exists due to insufficient sanitisation of user-supplied data passed via the "id" HTTP GET parameter to "/index.php", "interface" HTTP GET parameter to "/index.php", "name" HTTP GET parameter to "/index.php" script, "tabmodule" HTTP GET parameter to "/index.php" scripts. Exploitation examples available on HTB23156 security advisory page.
Solution for XSS in Xaraya
Because Xaraya Development Group did not reply to many notifications, unofficial patch was developed by High-Tech Bridge Security Research Lab.
No comments:
Post a Comment