eGroupWare 'menuaction' Parameter Cross Site Scripting Vulnerability
BID:52925
Info
eGroupWare 'menuaction' Parameter Cross Site Scripting Vulnerability
| Bugtraq ID: | 52925 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 06 2012 12:00AM |
| Updated: | Apr 06 2012 12:00AM |
| Credit: | Marcos Garcia |
| Vulnerable: |
eGroupWare eGroupWare 1.8.002 |
| Not Vulnerable: |
eGroupWare eGroupWare 1.8.4 20120405 |
Discussion
eGroupWare 'menuaction' Parameter Cross Site Scripting Vulnerability
eGroupWare is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
eGroupWare 1.8.002 is vulnerable; other versions may also be affected.
eGroupWare is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
eGroupWare 1.8.002 is vulnerable; other versions may also be affected.
Exploit / POC
eGroupWare 'menuaction' Parameter Cross Site Scripting Vulnerability
Attackers can exploit these issues using browser. To exploit a cross-site scripting issue the attacker needs to entice a user into following a malicious URI.
Attackers can exploit these issues using browser. To exploit a cross-site scripting issue the attacker needs to entice a user into following a malicious URI.
Solution / Fix
eGroupWare 'menuaction' Parameter Cross Site Scripting Vulnerability
Solution:
Reportedly the vendor has fixed the issue, however, Symantec has not confirmed it. Please contact the vendor for more information.
Solution:
Reportedly the vendor has fixed the issue, however, Symantec has not confirmed it. Please contact the vendor for more information.
References
eGroupWare 'menuaction' Parameter Cross Site Scripting Vulnerability
References:
References:
- eGroupWare Homepage (eGroupWare)