Tracker: Bugs
5
Vulnerability in version <= 1.20 - ID: 2500186
Last Update: Settings changed ( hoesterholt )
XSS vulnerability on CMME version <= 1.20.
An attacker can inject HTML code inside login page.
1) Go to admin.php
2) In username insert HTML code (ex: <script>alert('I ve injected
this');</script> and for password anything you want
3) Press "Login" button and code will be executed
You should not put in output what user wrote.
Please fix in next release.
Regards from italy
R00T_ATI
r00t.ati@gmail.com
Nobody/Anonymous ( nobody ) - 2009-01-11 23:49
5
Closed
Fixed
Nobody/Anonymous
None
None
Public
Comment ( 1 )
|
Date: 2009-07-04 19:32 Thanks! I'll fix this in version 1.22. |
Attached File
No Files Currently Attached
Changes ( 5 )
| Field | Old Value | Date | By |
|---|---|---|---|
| resolution_id | Accepted | 2009-10-13 16:08 | hoesterholt |
| status_id | Open | 2009-07-04 19:32 | hoesterholt |
| resolution_id | None | 2009-07-04 19:32 | hoesterholt |
| allow_comments | 1 | 2009-07-04 19:32 | hoesterholt |
| close_date | - | 2009-07-04 19:32 | hoesterholt |
About SourceForge
Develop Software
Community
Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use
