ClanSphere 'where' Parameter Cross-Site Scripting Vulnerability Network Vulnerability

Summary

The host is installed with ClanSphere and is prone to xss vulnerability.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site. Impact Level: Application

Solution

No solution or patch is available as of 23th January, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer http://www.csphere.eu

Insight

Input passed via the 'where' parameter to '/index.php' is not properly sanitised before being returned to the user.

Affected

ClanSphere version 2011.4, Prior versions may also be affected.

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://osvdb.org/104140
http://seclists.org/fulldisclosure/2014/Mar/73
http://secunia.com/advisories/57306
http://www.securityfocus.com/archive/1/archive/1/531373/100/0/threaded
https://www.httpcs.com/advisory/httpcs127

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-100010
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Aker Secure Mail Gateway Cross-Site Scripting Vulnerability
Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
Apache Archiva Multiple Vulnerabilities
/doc directory browsable ?
2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities

Take action and discover your vulnerabilities