BID:52221

Dotclear Multiple Cross Site Scripting Vulnerabilities

Info

Dotclear Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	52221
Class:	Input Validation Error
CVE:	CVE-2012-1039
Remote:	Yes
Local:	No
Published:	Feb 29 2012 12:00AM
Updated:	Feb 29 2012 12:00AM
Credit:	High-Tech Bridge SA Security Research Lab
Vulnerable:	Dotclear Dotclear 2.4.1.2

Not Vulnerable:	Dotclear Dotclear 2.4.2

Discussion

Dotclear Multiple Cross Site Scripting Vulnerabilities

Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected.

Exploit / POC

Dotclear Multiple Cross Site Scripting Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

The following example URIs are available:

/data/vulnerabilities/exploits/52221.txt

Solution / Fix

Dotclear Multiple Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references for more information.

References

Dotclear Multiple Cross Site Scripting Vulnerabilities

References:

Dotclear Homepage (Dotclear)
Multiple XSS in Dotclear (High-Tech Bridge SA Security Research Lab)