| VID |
21323 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PostNuke, installed on the Web server, has a cross-site scripting vulnerability in the Reviews Module. PostNuke, developed by Francisco Burzi, is a PHP content management system with a MySQL database. PostNuke version 0.726-3 and 0.75-RC3 and possibly other versions are vulnerable to a cross-site scripting vulnerability, caused by improper filtering the 'title' parameter of 'Reviews' script. To be exploited successfully this attack, a remote user could steal session cookies or gain access to user specific information that may be sensitive and confidential.
* References:
http://www.swp-zone.org/archivos/advisory-10.txt
http://securitytracker.com/alerts/2004/Jul/1010733.html
* Platforms Affected:
PostNuke Development Team PostNuke 0.75-RC3
PostNuke Development Team PostNuke 0.726-3
Windows Any version
Unix Any version
Linux Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to the latest version of PostNuke, when new fixed version becomes available from the PostNuke Web site at http://www.postnuke.com/ |
| Related URL |
(CVE) |
| Related URL |
10802 (SecurityFocus) |
| Related URL |
(ISS) |
|
