| VID |
21790 |
| Severity |
30 |
| Port |
8080, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The YACY Peer-To-Peer Search Engine is vulnerable to cross-site scripting attacks. YACY is a peer-to-peer distributed web search engine and caching web proxy written in Java. YACY Peer-To-Peer Search Engine version 0.31 is vulnerable to a cross-site scripting vulnerability, caused by improper validation of user-supplied input passed to the index.html and Wiki.html scripts. This vulnerability could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
* References:
http://www.securityfocus.com/archive/1/385453
http://securitytracker.com/alerts/2004/Dec/1012686.html
* Platforms Affected:
YACY Peer-To-Peer Search Engine 0.31
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of YACY (0.32 or later), available from the YACY Download Web site at http://www.yacy.net/yacy/Download.html |
| Related URL |
CVE-2004-2651 (CVE) |
| Related URL |
12104 (SecurityFocus) |
| Related URL |
18688,18690 (ISS) |
|
