PowerPortal modules/private_messages/index.php Multiple Parameter XSS

medium Nessus Plugin ID 14178

Synopsis

The remote web server contains a PHP application that is prone to a cross-site scripting attack.

Description

The remote host is using PowerPortal, a content management system, written in PHP.

A vulnerability exists in the remote version of this product that may allow a remote attacker to inject arbitrary HTML tags in when sending a private message to a victim user of the remote portal.

An attacker may exploit this flaw to steal the credentials of another user on the remote host.

Solution

Unknown at this time.

See Also

http://www.securiteam.com/unixfocus/5TP0O2ADFK.html

Plugin Details

Severity: Medium

ID: 14178

File Name: powerportal_privmsg_html_injection.nasl

Version: 1.17

Type: remote

Published: 8/1/2004

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 7/28/2004

Reference Information

CVE: CVE-2004-2514

BID: 10835

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990