LedNews News Post XSS

medium Nessus Plugin ID 11741

Language:

Synopsis

The remote web server is hosting a CGI application that is affected by a cross-site scripting vulnerability.

Description

The remote web server is running LedNews, a set of scripts designed to help maintain a news-based website.

There is a flaw in some versions of LedNews that could allow an attacker to include rogue HTML code in the news, which may in turn be used to steal the cookies of people visiting this site, or to annoy them by showing pop-up error messages and such.

Solution

There is no known solution at this time.

See Also

https://seclists.org/vulnwatch/2003/q2/107

Plugin Details

Severity: Medium

ID: 11741

File Name: lednews_xss.nasl

Version: 1.30

Type: remote

Published: 6/16/2003

Updated: 1/19/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 6/15/2003

Reference Information

CVE: CVE-2003-0495

BID: 7920

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990