Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability

Bugtraq ID:	58418
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 10 2013 12:00AM
Updated:	Mar 10 2013 12:00AM
Credit:	Manuel Garcia Cardenas
Vulnerable:	asterisKGuru Queue Statistics 0
Not Vulnerable:

Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability

Asteriskguru Queue Statistics is prone to an cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability

An attacker can exploit the issue by enticing an unsuspecting user to visit a specially crafted URL.

The following example URI is available:

http://www.example.com/public/error.php?warning=<XSS injection>

Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability

References:

• [ISecAuditors Security Advisories] Reflected XSS in Asteriskguru Queue Statistic ( Full Disclosure)
  
• Asteriskguru Queue Statistics Homepage (Asteriskguru)