Elgg Cross Site Scripting and Multiple Security Bypass Vulnerabilities

Bugtraq ID:	53623
Class:	Unknown
CVE:	CVE-2012-6563 CVE-2012-6562 CVE-2012-6561
Remote:	Yes
Local:	No
Published:	May 21 2012 12:00AM
Updated:	May 24 2013 05:14AM
Credit:	Yang Dingjie, Qualys, Pawe&#322, Sroka, Mike Hedman.
Vulnerable:	Curverider Elgg 1.8.4
Not Vulnerable:	Curverider Elgg 1.8.5

Elgg Cross Site Scripting and Multiple Security Bypass Vulnerabilities

Elgg is prone to the following vulnerabilities:

1. Multiple security-bypass vulnerabilities.

2. A cross-site scripting vulnerability.

Successfully exploiting these issues may allow an attacker to bypass certain security restrictions, execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and perform certain administrative actions in the vulnerable application.

Elgg 1.8.4 is vulnerable. prior versions may also get affected.

Elgg Cross Site Scripting and Multiple Security Bypass Vulnerabilities

Attackers can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, the attacker must entice a victim to follow a malicious URI.

Elgg Cross Site Scripting and Multiple Security Bypass Vulnerabilities

Solution:
Updates are available. Please see the references for more information.

Elgg Cross Site Scripting and Multiple Security Bypass Vulnerabilities

References:

• Elgg Homepage (Curverider)
  
• Elgg Cross-Site Scripting and Security Bypass Vulnerabilities (Curverider)