Summary
This host is running LightNEasy and is prone to Cross-Site Scripting vulnerability.
Impact
Successful exploitation will allow attacker to inject arbitrary HTML and script code, which will be executed when the malicious comment is viewed and disclose the content of arbitrary files on an affected system.
Impact Level: Application
Solution
Upgrade to LightNEasy version 3.1 or later.
For updates refer to http://www.lightneasy.org/index.php
Insight
Multiple flaws arise because,
- The input passed to the 'commentname', 'commentemail' and 'commentmessage' parameters when posting a comment is not properly sanitised before being used.
- The input passed via the 'page' parameter to LightNEasy.php is not properly sanitised before being used to read files and can be exploited by directory traversal attacks.
Affected
LightNEasy version 2.2.1 and prior (no database) and LightNEasy version 2.2.2 and prior (SQLite)
References
Severity
Classification
-
CVE CVE-2009-1937 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities