X7 Chat Avatar URL HTML Injection Vulnerability

Bugtraq ID:	17869
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	May 06 2006 12:00AM
Updated:	May 08 2006 08:49PM
Credit:	[email protected] is credited with the discovery of this vulnerability.
Vulnerable:	X7 Group X7 Chat 2.0.2 X7 Group X7 Chat 1.3.6 X7 Group X7 Chat 1.3.5 B X7 Group X7 Chat 1.3.4 B X7 Group X7 Chat 1.3.3 B X7 Group X7 Chat 1.3.2 B X7 Group X7 Chat 2.0
Not Vulnerable:

X7 Chat Avatar URL HTML Injection Vulnerability

X7 Chat is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

X7 Chat Avatar URL HTML Injection Vulnerability

This issue can be exploited through a web client.

X7 Chat Avatar URL HTML Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

X7 Chat Avatar URL HTML Injection Vulnerability

References:

• X7 Chat Homepage (X7 Group)
  
• X7Chat <= 2.0.2 avatar XSS injection ([email protected])