PaNews Multiple Injection Vulnerabilities
High Nessus Network Monitor Plugin ID 2626
SynopsisThe remote host is running a vulnerable version of PaNews, a news management script written in PHP.
DescriptionThe remote host is running PaNews, a news management script written in PHP. This version of PaNews is vulnerable to a Cross-Site Scripting (XSS) attack. An attacker exploiting this flaw would need to be able to convince an unsuspecting user to visit a malicious website. Upon successful exploitation, the attacker would be able to possibly steal credentials or execute browser-side code. The version of PaNews is also reported to be prone to several remote SQL and HTML injection attacks. An attacker exploiting these flaws would be able to potentially modify and view confidential data.
SolutionUpgrade or patch according to vendor recommendations.