VBulletin members2.php Cross Site Scripting Vulnerability

Due to insufficient sanitization of user supplied values, it is possible to exploit a vulnerability in VBulletin. By passing an invalid value to a variable located in 'members2.php', it is possible to generate an error page which will include attacker-supplied HTML code which will be executed in a legitimate users browser.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may use cookie-based authentication credentials to hijack the session of the legitimate user.


 

Privacy Statement
Copyright 2010, SecurityFocus