XSS flaw in MG2 Image Gallery (v.0.5.1)

2006.01.30

Credit: Preben Nyloekken

Risk: Low

Local: Yes

Remote: Yes

CVE: CVE-2006-0493

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Users can inject XSS into the form field "Name", when adding a comment on a picture. This will lead to the execution of XSS code.
Simple scripting like <script>alert('hello')</script> , and more advanced document.location, and document.cookie works.
This has been tested on version 0.5.1. Other versions might be flawed too.
Please credit to: Preben Nyl?kken

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

XSS flaw in MG2 Image Gallery (v.0.5.1)

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.