Stoneware webNetwork Cross Site Request Forgery and HTML Injection Vulnerabilities
BID:51644
Info
Stoneware webNetwork Cross Site Request Forgery and HTML Injection Vulnerabilities
| Bugtraq ID: | 51644 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-0285 CVE-2012-0286 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 23 2012 12:00AM |
| Updated: | Jan 23 2012 12:00AM |
| Credit: | Jacob Holcomb of Leland Public Schools |
| Vulnerable: |
Stoneware WebNetwork 6.0.7 0 |
| Not Vulnerable: |
Stoneware WebNetwork 6.0.8 0 |
Discussion
Stoneware webNetwork Cross Site Request Forgery and HTML Injection Vulnerabilities
Stoneware webNetwork is prone to a cross-site request-forgery vulnerability and multiple HTML-injection vulnerabilities.
An attacker can exploit the cross-site request-forgery issue to perform unauthorized actions in the context of a user's session. This may aid in other attacks.
The attacker can exploit the HTML-injection issues to to execute script code in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.
Stoneware webNetwork versions prior to 6.0.8.0 are vulnerable.
Stoneware webNetwork is prone to a cross-site request-forgery vulnerability and multiple HTML-injection vulnerabilities.
An attacker can exploit the cross-site request-forgery issue to perform unauthorized actions in the context of a user's session. This may aid in other attacks.
The attacker can exploit the HTML-injection issues to to execute script code in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.
Stoneware webNetwork versions prior to 6.0.8.0 are vulnerable.
References
Stoneware webNetwork Cross Site Request Forgery and HTML Injection Vulnerabilities
References:
References:
- webNetwork Homepage (Stoneware)
- Multiple Security Issues have been fixed in 6.0.8.0 (Stoneware)