|
Description
|
|
TrustWave SpiderLabs has reported multiple vulnerabilities in The Bug Genie, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
1) Input passed via the "description" parameter to /thebuggenie/sampleproject3/issues/new and /thebuggenie/attach/link/to/wiki/0 is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
2) Input passed via the "openid_identifier" POST parameter to /thebuggenie/do/login is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are reported in versions 3.2.5 and prior.
|
