Harmoni 'Username' Field HTML Injection Vulnerability
BID:30637
Info
Harmoni 'Username' Field HTML Injection Vulnerability
| Bugtraq ID: | 30637 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-3596 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 11 2008 12:00AM |
| Updated: | May 07 2015 05:25PM |
| Credit: | Rapid7 |
| Vulnerable: |
Harmoni Harmoni 1.4.6 |
| Not Vulnerable: |
Harmoni Harmoni 1.4.7 |
Discussion
Harmoni 'Username' Field HTML Injection Vulnerability
Harmoni is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Versions prior to Harmoni 1.4.7 are vulnerable.
Harmoni is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Versions prior to Harmoni 1.4.7 are vulnerable.
Exploit / POC
Harmoni 'Username' Field HTML Injection Vulnerability
Attackers can use a browser to exploit this issue.
Attackers can use a browser to exploit this issue.
Solution / Fix
Harmoni 'Username' Field HTML Injection Vulnerability
Solution:
The vendor has released updates. Please see the references for more information.
Harmoni Harmoni 1.4.6
Solution:
The vendor has released updates. Please see the references for more information.
Harmoni Harmoni 1.4.6
-
Cuyahoga harmoni-1.4.7.zip
http://downloads.sourceforge.net/harmoni/harmoni-1.4.7.zip?modtime=121 8123188&big_mirror=0