ActiveKB NX Index.PHP Cross-Site Scripting Vulnerability

Bugtraq ID:	26027
Class:	Input Validation Error
CVE:	CVE-2007-5426
Remote:	Yes
Local:	No
Published:	Oct 11 2007 12:00AM
Updated:	May 07 2015 05:34PM
Credit:	durito is credited with the discovery of this vulnerability.
Vulnerable:	Interspire ActiveKB NX 2.6
Not Vulnerable:	Interspire ActiveKB NX 2.7.1 Interspire ActiveKB NX 2.7

ActiveKB NX Index.PHP Cross-Site Scripting Vulnerability

ActiveKB NX is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.

This issue affects ActiveKB NX 2.6; other versions may also be vulnerable.

ActiveKB NX Index.PHP Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

The following proof-of-concept URI is available:

http://www.example.com/ActiveKB/page?=XSS

ActiveKB NX Index.PHP Cross-Site Scripting Vulnerability

Solution:
The vendor has released ActiveKB NX 2.7 to address this issue. Please contact the vendor for information on obtaining and applying this release.

ActiveKB NX Index.PHP Cross-Site Scripting Vulnerability

References:

• ActiveKB Homepage (Interspire)