HESK Multiple Cross-site Scripting (XSS) Vulnerabilities Network Vulnerability

Summary

This host is running HESK and is prone to multiple cross-site scripting vulnerabilities.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a user's browser session in context of affected website. Impact Level: Application

Solution

Upgrade to HESK version 2.3 or later. For updates refer to http://www.hesk.com/

Insight

The flaws are due to improper validation of - input passed via the 'hesk_settings[tmp_title]' and 'hesklang[ENCODING]' parameters to '/inc/header.inc.php'. - input passed via 'hesklang[attempt]' parameter to various files in '/inc/' directory. - input appended to the URL after '/language/en/text.php', before being returned to the user.

Affected

HESK version 2.2 and prior.

References

http://packetstormsecurity.org/files/view/103733/hesk-xss.txt
http://www.htbridge.ch/advisory/multiple_xss_in_hesk.html
http://www.securityfocus.com/archive/1/519148

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-5287

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Tiles Multiple XSS Vulnerability
Apache Struts Directory Traversal Vulnerability
Annuaire PHP 'sites_inscription.php' Cross Site Scripting Vulnerability
Aker Secure Mail Gateway Cross-Site Scripting Vulnerability
Apache Tomcat cal2.jsp Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities