CVE-2008-5795 - Cross-Site Scripting (XSS) vulnerability in Typo3 Eluna Page Comments Extension 1.1.2

Publication

2008-12-31

Last modification

2017-08-08

Summary

Cross-site scripting (XSS) vulnerability in the eluna Page Comments (eluna_pagecomments) extension 1.1.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Description

The 'eluna_pagecomments' extension for TYPO3 is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.These issues affect 'eluna_pagecomments' 1.1.2; other versions may also be affected.

Solution

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: info@vumetric.com.

Exploit

An attacker can exploit these issues via a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.

Classification

CWE-79 - Cross-Site Scripting (XSS)

Risk level (CVSS AV:N/AC:M/Au:N/C:N/I:P/A:N)

Medium

4.3

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Typo3 Eluna Page Comments Extension  1.1.2