SASHA 'instructors' Parameter HTML-injection vulnerability

Bugtraq ID:	51118
Class:	Input Validation Error
CVE:	CVE-2011-5042
Remote:	Yes
Local:	No
Published:	Dec 19 2011 12:00AM
Updated:	Jan 10 2012 10:00PM
Credit:	G13
Vulnerable:	gphemsley SASHA 0.2
Not Vulnerable:

SASHA 'instructors' Parameter HTML-injection vulnerability

SASHA is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks.

SASHA 0.2.0 is vulnerable; other versions may also be affected.

SASHA 'instructors' Parameter HTML-injection vulnerability

Attackers can use a browser to exploit this issue.

SASHA 'instructors' Parameter HTML-injection vulnerability

Solution:
Updates are available. Please see the references for more information.

SASHA 'instructors' Parameter HTML-injection vulnerability

References:

• 0000013: SASHA v0.2.0 Mutiple XSS (SASHA)
  
• SASHA Homepage (gphemsley)
  
• SASHA v0.2.0 Mutiple XSS ([email protected])