| VID |
21371 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PostNuke, installed on the Web server, has a cross-site scripting vulnerability in the News Module. PostNuke, developed by Francisco Burzi, is a PHP content management system with a MySQL database. PostNuke versions 0.7.2.0 and 0.7.2.1 are vulnerable to a cross-site scripting vulnerability, caused by improper filtering the "sid" variable upon submission to the article.php script of the News Module. To be exploited successfully this attack, a remote user could steal session cookies or gain access to user specific information that may be sensitive and confidential.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=5499
http://archives.neohapsis.com/archives/bugtraq/2002-11/0105.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0322.html
http://archives.neohapsis.com/archives/bugtraq/2002-10/0001.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0318.html
* Platforms Affected:
Francisco Burzi, PostNuke 0.7.2.0
Francisco Burzi, PostNuke 0.7.2.1
Windows Any version
Unix Any version
Linux Any version |
| Recommendation |
Upgrade to the latest version of PostNuke (0.750 or later), available from the PostNuke Web site at http://www.postnuke.com/ |
| Related URL |
(CVE) |
| Related URL |
5809 (SecurityFocus) |
| Related URL |
10239 (ISS) |
|
