Xoops 1.3.5 – Private Message System Font Attributes HTML Injection

Xoops 1.3.5 – Private Message System Font Attributes HTML Injection

漏洞ID 1053637 漏洞类型
发布时间 2002-11-09 更新时间 2002-11-09
图片[1]-Xoops 1.3.5 – Private Message System Font Attributes HTML Injection-安全小百科CVE编号 N/A
图片[2]-Xoops 1.3.5 – Private Message System Font Attributes HTML Injection-安全小百科CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/22080
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/6344/info

Xoops includes a Private Message System for users, so that they may send messages to one another. HTML tags used for font attributes are not sufficiently filtered of malicious HTML code. This makes it possible for an attacker to supply malicious input in the HTML font tags that contain arbitrary script code. When another user receives the attacker's private message, the malicious script code will be executed on that user in the context of the site running Xoops.

<b onMouseOver="alert(document.location);">test</b>
<i onClick="alert(document.location);">test</i>
<u onClick="alert('Hello');">test</u>

相关推荐: WebCalendar Include Files Information Disclosure Vulnerability

WebCalendar Include Files Information Disclosure Vulnerability 漏洞ID 1101912 漏洞类型 Unknown 发布时间 2002-06-07 更新时间 2002-06-07 CVE编号 N/A…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享