RETIRED: BosDev BosNews Multiple HTML Injection Vulnerabilities

RETIRED: BosDev BosNews Multiple HTML Injection Vulnerabilities

BosDev BosNews is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

UPDATE (November 13, 2007): This BID is being retired. The vendor refutes these claims, stating that HTML code is stripped with the exception of certain parameters that will accept HTML only if the user has administrator privileges. Please see the references for more information.