WebChat XSS

This script is Copyright (C) 2003-2014 Tenable Network Security, Inc.


Synopsis :

The remote CGI is vulnerable to an injection attack.

Description :

The remote host is vulnerable to a cross-site scripting attack through
its web chat module :

- An attacker may create a new user with a bogus email address containing
JavaScript code
- Then the profile of the newly created user or the 'lost password' page
for this user will display the unprocessed JavaScript to the user

An attacker may use this flaw to steal the cookies of your regular users.

See also :

http://www.securityfocus.com/archive/1/316173

Solution :

None at this time, but see the following website for additional
information: http://www.nessus.org/u?d8323071.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:H/RL:U/RC:ND)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 11470 ()

Bugtraq ID: 7190

CVE ID: