[原文]Multiple cross-site scripting (XSS) vulnerabilities in Centra 7 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name fields.
Centra Session Enrollment Profile Multiple Field XSS
Remote / Network Access
Input Manipulation
Loss of Confidentiality,
Loss of Integrity
Exploit Public
-
漏洞描述
Centra contains a flaw that allows a remote cross site scripting attack. This flaw exists because the 'username', 'first name', and 'last name' fields are not properly sanitised before being used on the Enrollment Profile . This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
-
时间线
2005-04-12
Unknow
2005-04-12
Unknow
-
解决方案
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Discovery of this vulnerability is credited to Clorox <elac2k@hotmail.com>.
-
受影响的程序版本
Centra Centra 7
-
漏洞讨论
Centra 7 is affected by multiple HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.
-
漏洞利用
No exploit is required.
-
解决方案
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.
设计是一个发现问题,而不是发现解决方案的过程。