Summary
openEngine is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
openEngine 2.0 100226 is vulnerable
other versions may also be affected.
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Web Server ETag Header Information Disclosure Weakness
- Apache ActiveMQ Persistent Cross-Site Scripting Vulnerability
- Aardvark Topsites PHP 'index.php' Multiple Cross Site Scripting Vulnerabilities
- Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
- AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities