Summary
PhreeBooks is prone to multiple local file-include vulnerabilities and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerabilities using directory-traversal strings to view files and execute local scripts in the context of the webserver process
other attacks are also possible.
The attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie- based authentication credentials and launch other attacks.
PhreeBooks 2.0 is vulnerable
other versions may also be affected.
References
Severity
Classification
-
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities
- Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
- Apache mod_proxy_ajp Information Disclosure Vulnerability
- Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability
- Apache Tomcat TroubleShooter Servlet Installed