LEPTON 1.1.3 - Cross-Site Scripting

EDB-ID:

36787

CVE:

N/A




Platform:

PHP

Date:

2012-02-15


source: https://www.securityfocus.com/bid/52026/info

LEPTON is prone to multiple input-validation vulnerabilities, including:

1. A cross-site scripting vulnerability
2. An SQL-injection vulnerability
3. A local file-include vulnerability
4. Multiple HTML-injection vulnerabilities

Exploiting these issues could allow an attacker to execute arbitrary script and PHP code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

LEPTON 1.1.3 is vulnerable; other versions may also be affected. 

http://www.example.com/admins/login/forgot/index.php?message=%3Cscript%3Ealert%28document.cookie%29;%3C/scrip t%3E