LiveJournal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the URI pointing to an image upon submission to the LiveJournal style sheet. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
It has been reported that LiveJournal is prone to a remote HTML injection vulnerability. This issue arises due to insufficient sanitization of user provided input allowing injection of HTML and script code into site content.
The injected code could then be interpreted by the browser of a user visiting a page that includes user-supplied hostile content. This attack would occur in the security context of the affected site.
This could be used to steal cookie-based authentication from other users. Other attacks are also possible.
It should be noted that the attacker must be a registered user with the ability to post malicious content in their journal.
No exploit is required to leverage this issue.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.