TWiki XSS And Command Execution Vulnerabilities Network Vulnerability

Summary

The host is running TWiki and is prone to Cross-Site Scripting (XSS) and Command Execution Vulnerabilities.

Impact

Successful exploitation could allow execution of arbitrary script code or commands. This could let attackers steal cookie-based authentication credentials or compromise the affected application. Impact Level: Application

Solution

Upgrade to version 4.2.4 or later, http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x04

Insight

The flaws are due to, - %URLPARAM{}% variable is not properly sanitized which lets attackers conduct cross-site scripting attack. - %SEARCH{}% variable is not properly sanitised before being used in an eval() call which lets the attackers execute perl code through eval injection attack.

Affected

TWiki, TWiki version prior to 4.2.4.

Severity

Classification

CVE CVE-2008-5304, CVE-2008-5305

CVSS	Base Score: 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C

Related Vulnerabilities

AstroSPACES profile.php SQL Injection Vulnerability
A Really Simple Chat Multiple SQL Injection Vulnerabilities
Apache Struts ClassLoader Manipulation Vulnerabilities
Apache Struts2 Showcase Skill Name Remote Code Execution Vulnerability
AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability

TWiki XSS and Command Execution Vulnerabilities

Take action and discover your vulnerabilities