Security Advisory - Curesec Research Team 1. Introduction Affected Product: MiniBB 3.1.1 Fixed in: 3.2 Fixed Version Link: http://ift.tt/1L1PVWU Vendor Contact: security@minibb.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is an XSS vulnerability in MiniBB 3.1.1. With this, it is possible to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers. 3. Proof of Concept http://localhost/minibb/index.php?action=editmsg&topic=2&forum=1&post=3&page=1&anchor=">4. Solution To mitigate this issue please upgrade at least to version 3.2: http://ift.tt/1L1PVWU Please note that a newer version might already be available. 5. Report Timeline 09/01/2015 Informed Vendor about Issue 09/02/2015 Vendor announces release of fix 10/01/2015 No fix released yet, set new public disclosure date 10/01/2015 Vendor releases fix 10/07/2015 Disclosed to public Blog Reference: http://ift.tt/1WFMvQF
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment