Detections
Analytics

Elgg index.php view Parameter XSS

medium Nessus Plugin ID 59656

Language:

Synopsis

The remote web server hosts a PHP script that is affected by a cross-site scripting vulnerability.

Description

The version of the Elgg installed on the remote host is affected by a cross-site scripting vulnerability because it fails to properly sanitize user input to the 'view' parameter of the 'index.php' script. An attacker may be able to leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

Solution

Upgrade to version 1.8.5 or later.

See Also

http://blog.elgg.org/pg/blog/evan/read/209/elgg-185-released

Plugin Details

Severity: Medium

ID: 59656

File Name: elgg_view_xss.nasl

Version: 1.7

Type: remote

Published: 6/22/2012

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:elgg:elgg

Required KB Items: www/PHP, www/elgg

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 5/19/2012

Vulnerability Publication Date: 5/19/2012

Reference Information

CVE: CVE-2012-6561

BID: 53623

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990