This script is Copyright (C) 2011-2013 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
Jose Antonio Coret reports that GForge contains multiple Cross Site
Scripting vulnerabilities and an e-mail flood vulnerability :
The login form is also vulnerable to XSS (Cross Site Scripting)
attacks. This may be used to launch phising attacks by sending HTML
e-mails (i.e.: saying that you need to upgrade to the latest GForge
version due to a security problem) and putting in the e-mail an HTML
link that points to an specially crafted url that inserts an html form
in the GForge login page and when the user press the login button,
he/she send the credentials to the attackers website.
The 'forgot your password?' feature allows a remote user to load a
certain URL to cause the service to send a validation e-mail to the
specified user's e-mail address. There is no limit to the number of
messages sent over a period of time, so a remote user can flood the
target user's secondary e-mail address. E-Mail Flood, E-Mail bomber.
See also :
Update the affected package.
Risk factor :
Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 5.0
Public Exploit Available : true