[2/5] Absolute Poll Manager XE “msg” Cross-Site Scripting

August 31st, 2007 by

[2/5] Absolute Poll Manager XE “msg” Cross-Site Scripting

:Richard Brain and Adrian Pastor have reported a vulnerability in Absolute Poll Manager XE, which can be exploited by malicious people to conduct cross-site scripting attacks.Input passed to the "msg" parameter in xlaapmview.asp (when "p" is set to a numeric value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.The vulnerability is reported in version 4.1. Other versions may also be affected.Solution:Edit the source code to ensure that input is properly sanitised.Provided and/or discovered by:Richard Brain and Adrian PastorOriginal Advisory:PR07-23:http://www.procheckup.com/Vulnerability_PR07-23.php

Original post by amit

[2/5] Absolute Poll Manager XE “msg” Cross-Site Scripting

Related Articles:

[3/5] Absolute News Manager .NET Multiple Vulnerabilities

[3/5] Absolute Banner Manager .NET “z” SQL Injection

[2/5] DB Manager “id” Cross-Site Scripting

[2/5] Joomla! Cross-Site Request Forgery and Script Insertion Vulnerabilities

[2/5] Sun Java System Identity Manager Unspecified Cross-Site Scripting

Posted in Advisories - Exploits | | [2/5] Absolute Poll Manager XE “msg” Cross-Site Scripting

<< [2/5] InterWorx-CP Multiple Cross-Site Scripting | [3/5] Shopping Basket Professional Directory Traversal Vulnerability >>

Cybertrion Systems

[2/5] Absolute Poll Manager XE “msg” Cross-Site Scripting

Categories

Archives:

Search:

Meta: