CodePress Eval Function Script Execution Vulnerability

Bugtraq ID:	23788
Class:	Input Validation Error
CVE:	CVE-2007-2501
Remote:	Yes
Local:	No
Published:	May 03 2007 12:00AM
Updated:	May 07 2015 05:39PM
Credit:	Dustin Spicuzza is credited with discovering this vulnerability.
Vulnerable:	CodePress CodePress 0.9.3
Not Vulnerable:	CodePress CodePress 0.9.4

CodePress Eval Function Script Execution Vulnerability

CodePress is prone to a script-execution vulnerability because the application fails to properly sanitize user-supplied input.

Attacker-supplied scripts would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

This issue affects versions of CodePress prior to 0.9.4.

CodePress Eval Function Script Execution Vulnerability

Attackers can use a browser to exploit this issue.

CodePress Eval Function Script Execution Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.


CodePress CodePress 0.9.3

• CodePress codepress-v.0.9.4.zip
  http://downloads.sourceforge.net/codepress/codepress-v.0.9.4.zip?modti me=1178150905&big_mirror=0

CodePress Eval Function Script Execution Vulnerability

References:

• ChangeLog (CodePress)
  
• CodePress Cross-Site Scripting Vulnerability (CodePress)
  
• Vendor Homepage (CodePress)