| VID |
21526 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Web server has a CGI file vulnerable to a cross-site scripting vulnerability. The relevant CGI could allow a remote attacker to inject arbitrary HTML and script code, caused by improper validation of user-supplied input passed to a specific parameter in the CGI. This vulnerability could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
* References:
http://www.securitydocs.com/library/3261
http://www.securitydocs.com/library/3472
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
Modify the affected CGI script to perform proper validation of user-supplied input passed to a specific parameter in the CGI. For details, please see the CERT Web site at http://stuff.mit.edu/afs/athena/astaff/reference/cert/Tips/cgi_metacharacters |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
