BID:18032

CodeAvalanche News Add_News.ASP HTML Injection Vulnerability

CVE-2006-2500 |

Info

CodeAvalanche News Add_News.ASP HTML Injection Vulnerability

Bugtraq ID:	18032
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	May 18 2006 12:00AM
Updated:	May 18 2006 10:08PM
Credit:	omnipresent is credited with the discovery of this vulnerability.
Vulnerable:	CodeAvalanche News CodeAvalanche News 1.2

Not Vulnerable:

Discussion

CodeAvalanche News Add_News.ASP HTML Injection Vulnerability

CodeAvalanche is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Exploit / POC

CodeAvalanche News Add_News.ASP HTML Injection Vulnerability

This issue can be exploited through a web client.

Solution / Fix

CodeAvalanche News Add_News.ASP HTML Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]

References

CodeAvalanche News Add_News.ASP HTML Injection Vulnerability

References:

CodeAvalanche News (CodeAvalanche News)
CANews Multiple Vulnerabilities ([email protected])