| HIO-2009-0828 BIGACE 2.6 Multiple Vulnerabilities |
|
|
|
|
BIGACE 2.6 and earlier contains flaws that allow cross-site scripting and cross-site request forgery.
1) XSS: Input passed to the "id" parameter via GET is not properly verified before being submitted to index.php. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) CSRF: The application allows users to perform all admin actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. perform administrative functions when a logged in user views a malicious web page.
These vulnerabilities are confirmed in version 2.6 and earlier.
References: CVE-2009-3120 BID: 36187 FrSIRT: N/A Nessus:N/A XF: 52916 Related: Vendor Solution:XSS patch |
| < Prev | Next > |
|---|