| VID |
21505 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHP-Fusion software is vulnerable to a cross-site scripting vulnerability in the img tag. PHP-Fusion is a freely available content management system (CMS) written in PHP which uses MySQL. PHP-Fusion versions 5.01 and earlier are vulnerable to a cross-site scripting vulnerability by embedded script in the img tag. This vulnerability could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
* References:
http://www.securityfocus.com/archive/1/392482
http://www.osvdb.org/displayvuln.php?osvdb_id=14608
* Platforms Affected:
digitanium, PHP-Fusion versions 5.01 and earlier
Any operating system Any version |
| Recommendation |
For PHP-Fusion 5.00:
Install PHP-Fusion 5.01 Service Pack, available from the Download site for this Service Pack at
http://prdownloads.sourceforge.net/php-fusion/php-fusion-501-05-03-2005.zip?download
-- OR --
Upgrade to the latest version of PHP-Fusion (5.01 dated March 10, 2005 or later), available from the PHP-Fusion Web page http://sourceforge.net/projects/php-fusion/ |
| Related URL |
CVE-2005-0692 (CVE) |
| Related URL |
12751 (SecurityFocus) |
| Related URL |
19619 (ISS) |
|
