XGB Guestbook 1.2 - User-Embedded Scripting

EDB-ID:

21381

CVE:



Author:

Firehack

Type:

webapps


Platform:

PHP

Date:

2002-04-15


source: https://www.securityfocus.com/bid/4513/info

xGB is guestbook software. It is written in PHP and will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

xGB allows users to post images in guestbook entries by using special syntax to denote a link to an image. However, script code is not filtered from the image tags ([img][/img]) used by the guestbook. An attacker may cause script code to be executed by arbitrary web users who view the guestbook entries. 

[img]javascript:alert('This Guestbook allows Cross Site
Scripting');[/img]