FCKeditor 'print_textinputs_var()' Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with FCKeditor and is prone to multiple cross site scripting vulnerabilities.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to FCKeditor version 2.6.11 or later, For updates refer to http://ckeditor.com

Insight

Input passed via the keys and values of POST parameters to editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php is not properly sanitised in the 'print_textinputs_var()' function before being returned to the user.

Affected

FCKeditor version prior to 2.6.11

Detection

Send a crafted exploit string via HTTP GET request and check whether it is possible to read cookie or not.

References

http://packetstormsecurity.com/files/126902
http://seclists.org/bugtraq/2014/Jun/14
http://secunia.com/advisories/49606
http://www.osvdb.com/83278

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Annuaire PHP 'sites_inscription.php' Cross Site Scripting Vulnerability
7Media Web Solutions EduTrac Directory Traversal Vulnerability
Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities
12Planet Chat Server one2planet.infolet.InfoServlet XSS
3Com NBX VoIP NetSet Detection

Take action and discover your vulnerabilities