NewsGlue RSS Feed HTML Injection Vulnerability
BID:23094
Info
NewsGlue RSS Feed HTML Injection Vulnerability
| Bugtraq ID: | 23094 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 22 2007 12:00AM |
| Updated: | Mar 22 2007 02:24PM |
| Credit: | JVN repository discovery of this vulnerability. |
| Vulnerable: |
Gluesoft NewsGlue 1.3.3 |
| Not Vulnerable: |
Gluesoft NewsGlue 1.3.4 |
Discussion
NewsGlue RSS Feed HTML Injection Vulnerability
NewsGlue is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
NewsGlue Feed version 1.3.3 is vulnerable to this issue.
NewsGlue is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
NewsGlue Feed version 1.3.3 is vulnerable to this issue.
Exploit / POC
NewsGlue RSS Feed HTML Injection Vulnerability
An attacker may exploit this issue by enticing a user to view RSS feeds.
An attacker may exploit this issue by enticing a user to view RSS feeds.
Solution / Fix
NewsGlue RSS Feed HTML Injection Vulnerability
Solution:
The vendor has released version 1.3.4 to address this issue. Please see the references for details.
Solution:
The vendor has released version 1.3.4 to address this issue. Please see the references for details.
References
NewsGlue RSS Feed HTML Injection Vulnerability
References:
References:
- JVN#64227086 (JVN)
- Vendor Homepage (Gluesoft)