Xoops 1.3.5 – Private Message System Font Attributes HTML Injection

22次阅读
没有评论

Xoops 1.3.5 – Private Message System Font Attributes HTML Injection

漏洞ID 1053637 漏洞类型
发布时间 2002-11-09 更新时间 2002-11-09
Xoops 1.3.5 - Private Message System Font Attributes HTML InjectionCVE编号 N/A
Xoops 1.3.5 - Private Message System Font Attributes HTML InjectionCNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/22080
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/6344/info

Xoops includes a Private Message System for users, so that they may send messages to one another. HTML tags used for font attributes are not sufficiently filtered of malicious HTML code. This makes it possible for an attacker to supply malicious input in the HTML font tags that contain arbitrary script code. When another user receives the attacker's private message, the malicious script code will be executed on that user in the context of the site running Xoops.

<b onMouseOver="alert(document.location);">test</b>
<i onClick="alert(document.location);">test</i>
<u onClick="alert('Hello');">test</u>

相关推荐: WebCalendar Include Files Information Disclosure Vulnerability

WebCalendar Include Files Information Disclosure Vulnerability 漏洞ID 1101912 漏洞类型 Unknown 发布时间 2002-06-07 更新时间 2002-06-07 CVE编号 N/A…

正文完
 0