|
Description
|
|
A weakness and two vulnerabilities have been discovered in ezStats2 for Battlefield 3, which can be exploited by malicious people to disclose certain system information and conduct cross-site scripting attacks.
1) The application provides unrestricted access to admin/apitest.php, which can be exploited to disclose system information e.g. PHP configuration details.
2) Input passed via the "common" and "rankings" GET parameters to admin/stylsheets/style.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are confirmed in version 0.91. Other versions may also be affected.
|
