holisticinfosec.org - HIO-2008-1022-2 MyGallery 1.7.2 XSS

Home
Blog
ISSA JRN's toolsmith
Best Practices
Links
Research
How To
Standards
Publications & Events
Simplicity
Philosophy
GNU GPL
In The News
F-Secure World Map
News
Security News Feeds
Open SRC Definition
Contact
Search

"What I hear, I forget. What I see, I remember. What I do, I understand. - Kung Fu Tzu (Confucius)"

RSS

HIO-2008-1022-2 MyGallery 1.7.2 XSS

Planetluc's MyGallery 1.7.2 and earlier contains flaws that allows remote cross site scripting.
Cross-site scripting exists because the application does not validate the "mghash" variable upon GET submission. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

BID: 32067

CVE-2008-4892

OSVDB: 49504

SA: 32505

XF: 46200

Vendor Solution: Upgrade to version 1.8.1

< Prev		Next >

[ Back ]