SimpNews Multiple Cross-Site Scripting Vulnerabilities

Bugtraq ID:	25809
Class:	Input Validation Error
CVE:	CVE-2007-4874
Remote:	Yes
Local:	No
Published:	Sep 25 2007 12:00AM
Updated:	Sep 25 2007 10:29PM
Credit:	Jesper Jurcenoks is credited with the discovery of these vulnerabilities.
Vulnerable:	SimpNews SimpNews 2.41.3
Not Vulnerable:	SimpNews SimpNews 2.42.1

SimpNews Multiple Cross-Site Scripting Vulnerabilities

SimpNews is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues affect SimpNews 2.41.03; prior versions may also be affected.

SimpNews Multiple Cross-Site Scripting Vulnerabilities

To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

The following proof-of-concept URIs are available.

• /data/vulnerabilities/exploits/25809.html

SimpNews Multiple Cross-Site Scripting Vulnerabilities

Solution:
The vendor released an update to address these issues. Please see the references for more information.

SimpNews Multiple Cross-Site Scripting Vulnerabilities

References:

• SimpNews Homepage (Bosch)
  
• SimpNews version 2.41.03 Multiple XSS Attack Vulnerabilities ([email protected])