13 lines
No EOL
820 B
Text
13 lines
No EOL
820 B
Text
source: https://www.securityfocus.com/bid/7687/info
|
|
|
|
Vignette software has been reported prone to multiple cross-site scripting vulnerabilities.
|
|
|
|
Reportedly the issue presents itself, because the Vignette software does not sufficiently sanitize HTML characters from user-supplied data.
|
|
|
|
It may be possible for an attacker to supply and execute HTML and script code on a web client in the context of the site hosting the Vignette software. This may allow for theft of cookie-based authentication credentials and other attacks.
|
|
|
|
This issue was reported for Vignette StoryServer version 4 to version 6; it has been speculated that all current versions are vulnerable.
|
|
|
|
https://www.example.com/Page/1,10966,,00.html?var=<script>alert('s21sec')</script>
|
|
|
|
http://www.example.com/vgn/login?errInfo="%2b%20document.cookie%20%2b" |