WebEvent Webevent.CGI Cross-Site Scripting Vulnerability

Bugtraq ID:	25148
Class:	Input Validation Error
CVE:	CVE-2007-4146
Remote:	Yes
Local:	No
Published:	Jul 31 2007 12:00AM
Updated:	May 07 2015 05:36PM
Credit:	d3hydr8 is credited with the discovery of this vulnerability.
Vulnerable:	WebEvent WebEvent 4.03 WebEvent WebEvent 2.72 WebEvent WebEvent 2.71 WebEvent WebEvent 2.7 WebEvent WebEvent 2.61
Not Vulnerable:

WebEvent Webevent.CGI Cross-Site Scripting Vulnerability

WebEvent is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

WebEvent Webevent.CGI Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

A sample URI has been provided:

• /data/vulnerabilities/exploits/25148.html

WebEvent Webevent.CGI Cross-Site Scripting Vulnerability

Solution:
The vendor released a patch to address this issue. Please contact the vendor for information on obtaining and applying the patch.

WebEvent Webevent.CGI Cross-Site Scripting Vulnerability

References:

• PeopleCube Support Page (PeopleCube)
  
• Vendor Homepage (PeopleCube)