Lunascape RSS Feed HTML Injection Vulnerability

Bugtraq ID:	23665
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 25 2007 12:00AM
Updated:	Apr 26 2007 03:50AM
Credit:	Fukumori is credited with the discovery of this vulnerability.
Vulnerable:	Lunascape Lunascape 4.1.3 Lunascape Lunascape 4.1.2 Lunascape Lunascape 4.1.1 Lunascape Lunascape 4.1
Not Vulnerable:	Lunascape Lunascape 4.2

Lunascape RSS Feed HTML Injection Vulnerability

Lunascape is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

This issue affects versions of Lunascape prior to 4.2.0.

Lunascape RSS Feed HTML Injection Vulnerability

Attackers can use a browser to exploit this issue.

Lunascape RSS Feed HTML Injection Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.

Lunascape RSS Feed HTML Injection Vulnerability

References:

• JVN#36628264 (JPCERT)
  
• Lunascape 4.2.0 Release Notes (Lunascape)
  
• Lunascape Homepage (Lunascape )