Geeklog CVE-2013-1470 Cross Site Scripting Vulnerability

Bugtraq ID:	58209
Class:	Input Validation Error
CVE:	CVE-2013-1470
Remote:	Yes
Local:	No
Published:	Feb 27 2013 12:00AM
Updated:	Feb 27 2013 12:00AM
Credit:	High-Tech Bridge Security Research Lab
Vulnerable:	Geeklog Geeklog 1.8.2
Not Vulnerable:	Geeklog Geeklog 1.8.2sr1

Geeklog CVE-2013-1470 Cross Site Scripting Vulnerability

Geeklog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Geeklog 1.8.2 is vulnerable; other versions may also be affected.

Geeklog CVE-2013-1470 Cross Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

The following example data is available:

• /data/vulnerabilities/exploits/58209.txt

Geeklog CVE-2013-1470 Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Geeklog CVE-2013-1470 Cross Site Scripting Vulnerability

References:

• Geeklog 1.8.2sr1 and 2.0.0rc2 Changelog (Geeklog)
  
• Geeklog Homepage (Geeklog)
  
• Cross-Site Scripting (XSS) in Geeklog (High-Tech Bridge SA)