Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities
BID:30748
Info
Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 30748 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-3758 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 19 2008 12:00AM |
| Updated: | May 07 2015 05:24PM |
| Credit: | James Bercegay of the GulfTech Security Research Team |
| Vulnerable: |
Lussumo Vanilla 1.1.4 Lussumo Vanilla 1.1.3 Lussumo Vanilla 1.0.1 Lussumo Vanilla 1.0 |
| Not Vulnerable: |
Lussumo Vanilla 1.1.5 RC1 |
Discussion
Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities
Vanilla is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
Vanilla 1.1.4 is vulnerable; other versions may also be affected.
Vanilla is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
Vanilla 1.1.4 is vulnerable; other versions may also be affected.
Exploit / POC
Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities
Attackers can exploit these issues through a browser. To exploit the cross-site scripting issue, attackers must entice an unsuspecting user to follow a malicious URI.
The following example URI is available:
Attackers can exploit these issues through a browser. To exploit the cross-site scripting issue, attackers must entice an unsuspecting user to follow a malicious URI.
The following example URI is available:
Solution / Fix
Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities
Solution:
The vendor has released an update. Please see the references for more information.
Solution:
The vendor has released an update. Please see the references for more information.
References
Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities
References:
References:
- Vanilla Product Page (Lussumo)
- Vanilla <= 1.1.4 Script Injection/ XSS ( GulfTech Security Research
- [Sticky] Vanilla 1.1.5 release candidate 1 (Lussumo)