Serendipity karma插件跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1120596 漏洞类型 跨站脚本
发布时间 2011-11-03 更新时间 2019-12-12
CVE编号 CVE-2011-4090 CNNVD-ID CNNVD-201911-1399
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/36283
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201911-1399
|漏洞详情
Serendipity 1.6之前版本中的karma插件存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/50502/info

Serendipity is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

This issue affects Serendipity 1.5.5; prior versions may also be affected. 

http://www.example.com/serendipity/serendipity_admin_image_selector.php?serendipity[filter][bp.ALT]=</script><script>alert(document.cookie)</script>&go=+-+Go!+-+
|参考资料

来源:MISC

链接:https://access.redhat.com/security/cve/cve-2011-4090


来源:MISC

链接:https://seclists.org/oss-sec/2011/q4/176


来源:MISC

链接:https://security-tracker.debian.org/tracker/CVE-2011-4090


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2011-4090