e107 Cross Site Scripting, HTML Injection and SQL Injection Vulnerabilities
BID:51253
Info
e107 Cross Site Scripting, HTML Injection and SQL Injection Vulnerabilities
| Bugtraq ID: | 51253 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 03 2012 12:00AM |
| Updated: | Jan 03 2012 12:00AM |
| Credit: | mghack via Secunia |
| Vulnerable: |
e107 e107 0.7.26 |
| Not Vulnerable: |
e107 e107 1.0 |
Discussion
e107 Cross Site Scripting, HTML Injection and SQL Injection Vulnerabilities
e107 is prone to an HTML injection vulnerability, an SQL injection vulnerability, and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
e107 0.7.26 is vulnerable; other versions may be affected.
e107 is prone to an HTML injection vulnerability, an SQL injection vulnerability, and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
e107 0.7.26 is vulnerable; other versions may be affected.
Exploit / POC
e107 Cross Site Scripting, HTML Injection and SQL Injection Vulnerabilities
An attacker can exploit these issues through a browser. An attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issues.
An attacker can exploit these issues through a browser. An attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issues.
Solution / Fix
e107 Cross Site Scripting, HTML Injection and SQL Injection Vulnerabilities
Solution:
Updates are available; please see the references for more information.
Solution:
Updates are available; please see the references for more information.
References
e107 Cross Site Scripting, HTML Injection and SQL Injection Vulnerabilities
References:
References:
- CVE-request: Multiple e107 vulnerabilities (Henri Salo)
- e107 CMS Homepage (e107)
- e107 Inc. announces new branding and the release of v1.0 (e107)