| VID |
21324 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PowerPortal installed on the Web server, according to its version number, has a Cross-Site Scripting Vulnerability in the private message module.
PowerPortal is a popular content management system for Unix-based platforms, written in PHP. The version 1.3 and possibly earlier versions of PowerPortal could cause a remote attacker to conduct Cross-Site Scripting attack, caused by a improper filtering HTML code from user-supplied input in the message title field. A remote attacker could send a specially crafted private message that, when viewed by a target user, would cause arbitrary scripting code to be executed by the target user's browser. If this vulnerability is exploited successfully, a remote attacker could steal the target user's cookies (including authentication cookies).
* Note: This check solely relied on the version of the remote PowerPortal program installed on the web server to assess this vulnerability, so this might be a False Positive.
* References:
http://securitytracker.com/alerts/2004/Jul/1010802.html
* Platforms Affected:
PowerPortal 1.1 b
PowerPortal 1.3 b
PowerPortal 1.3
Unix Any version |
| Recommendation |
No upgrade or patch available as of June 2014. Contact to your vendor for this vulnerability. |
| Related URL |
CVE-2004-2514 (CVE) |
| Related URL |
10835 (SecurityFocus) |
| Related URL |
(ISS) |
|
