Able to inject HTML into URL

Brought to you by: vondo

#33 Able to inject HTML into URL

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2013-04-12

Created: 2013-04-12

Creator: Anonymous

Private: No

The ShowDocument and /cgi-bin/ListAllMeetings are vulnerable to HTML injection. For example, the following will generate a popup window on clients:

/DocDB/ShowDocument?docid=3660e4698</title><script>alert(1)</script>5a2aec62a0c