Nuke ET mensaje Script insrtion Vulnerability
Nuke ET mensaje Script insertion Vulnerability

Secunia Advisory: SA29651   Release Date: 2008-04-04 Critical: Less critical Impact: Cross Site ScriptingWhere: From remoteSolution Status: Unpatched Software:Nuke ET 3.x has discovered a vulnerability in Nuke ET, which can be exploited by malicious users to conduct script insertion attacks.Input passed to the "mensaje" parameter when sending private messages is not properly sanitised before being stored. This can be exploited to insert <div> HTML elements with JavaScript code, which is executed in a user"s browser session in context of an affected site when the malicious data is viewed.Successful exploitation requires that both the attacker and the victim have valid user credentials, and that the victim uses e.g. Internet Explorer.The vulnerability is confirmed in version 3.4 and reported in version 3.2. Other versions may also be affected.Solution:Edit the source code to ensure that input is properly sanitised.Provided and/or discovered by:mrzayas.esOriginal Advisory: