Hero Framework CVE-2013-2649 Multiple Cross-Site Scripting Vulnerabilities

Bugtraq ID:	59041
Class:	Input Validation Error
CVE:	CVE-2013-2649
Remote:	Yes
Local:	No
Published:	Apr 10 2013 12:00AM
Updated:	Apr 10 2013 12:00AM
Credit:	High-Tech Bridge SA
Vulnerable:	Electric Function, Inc Hero 3.791
Not Vulnerable:	Electric Function, Inc Hero 3.80

Hero Framework CVE-2013-2649 Multiple Cross-Site Scripting Vulnerabilities

Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Hero 3.791 is vulnerable; other versions may also be affected.

Hero Framework CVE-2013-2649 Multiple Cross-Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Hero Framework CVE-2013-2649 Multiple Cross-Site Scripting Vulnerabilities

References:

• Hero Homepage (Electric Function, Inc)
  
• Multiple XSS in Hero Framework (High-Tech Bridge)