|
|
Info |
Last Modified |
| 8 months ago |
|
|
|
|
Description |
IntranetApp, PortalApp and ProjectApp all contain a flaw that may allow a malicious user to inject code to be executed by a user or admin. The issue is triggered by injecting a script into a field normally used for a link or text. It is possible that the flaw may allow the execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.
|
|
Classification |
Unknown or Incomplete
|
|
Technical |
There are at least three vulnerable ASP files: forums.asp, submit.asp and upd_user.asp.
forums.asp allows a malicious user to post a script into the title and message form fields. As messages are posted to the main page of the website, all users can be affected.
submit.asp allows a malicious user to submit a script instead of an expected link. The admin is affected when this submission is reviewed.
The profile section also contains multiple vulnerabilities. Scripts injected into the profile update form via upd_user.asp are executed when the affected profile is viewed by user_public.asp. The vulnerable form fields are: First Name, Last Name, and Country.
|
|
Solution |
Currently, there are no known upgrades, patches, or workarounds available to correct this issue. The vendor has committed to releasing a patch.
|
|
Products |
|
PortalApp
 |
Unknown or Unspecified |
ProjectApp
|
Unknown or Unspecified |
IntranetApp
|
Unknown or Unspecified |
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
