Geeklog Forum Plugin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate HTML parameters such as "img src" upon submission to the application. This could allow a user to send a specially crafted request that would execute arbitrary code on the server leading to a loss of integrity. The Forum Plugin does not get installed by default during a Geeklog installation. Further, The IMG tag must explicitly be added to the Geeklog configuration file under the allowed HTML tags for this issue to manifest.
Classification
Location:
Remote / Network Access
Attack Type:
Information Disclosure,
Input Manipulation
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Public
OSVDB:
Web Related
Solution
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.
Blogs
This product uses the Daylife API but is not endorsed or certified by Daylife.
This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
