XWiki Enterprise Multiple HTML Injection Vulnerabilities
BID:51867
Info
XWiki Enterprise Multiple HTML Injection Vulnerabilities
| Bugtraq ID: | 51867 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-1019 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 05 2012 12:00AM |
| Updated: | Feb 09 2012 12:00PM |
| Credit: | Sony |
| Vulnerable: |
XWiki XWiki Enterprise 3.4 |
| Not Vulnerable: | |
Discussion
XWiki Enterprise Multiple HTML Injection Vulnerabilities
XWiki Enterprise is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
XWiki Enterprise 3.4 is vulnerable; other versions may be affected.
XWiki Enterprise is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
XWiki Enterprise 3.4 is vulnerable; other versions may be affected.
Exploit / POC
XWiki Enterprise Multiple HTML Injection Vulnerabilities
An attacker can exploit these issues through a browser.
An attacker can exploit these issues through a browser.
Solution / Fix
XWiki Enterprise Multiple HTML Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
XWiki Enterprise Multiple HTML Injection Vulnerabilities
References:
References:
- Exploit Title: XWiki Cross Site Scripting (st2tea)
- XWiki Enterprise Homepage (XWiki)