SmokePing 'displaymode' Parameter Cross Site Scripting Vulnerability

Bugtraq ID:	51584
Class:	Input Validation Error
CVE:	CVE-2012-0790
Remote:	Yes
Local:	No
Published:	Jan 20 2012 12:00AM
Updated:	Apr 13 2015 10:24PM
Credit:	Russ McRee
Vulnerable:	SmokePing SmokePing 2.6.6 Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64
Not Vulnerable:	SmokePing SmokePing 2.6.7

SmokePing 'displaymode' Parameter Cross Site Scripting Vulnerability

SmokePing is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SmokePing 2.6.6 is vulnerable; prior versions may also be affected.

SmokePing 'displaymode' Parameter Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

SmokePing 'displaymode' Parameter Cross Site Scripting Vulnerability

Solution:
Updates are available; please see the references for more information.

SmokePing 'displaymode' Parameter Cross Site Scripting Vulnerability

References:

• HIO-2012-0109 Smokeping 2.6 XSS (HolisticInfoSec)
  
• SmokePing Changelog (SmokePing)
  
• SmokePing Homepage (SmokePing)