|
Description
|
|
Sony has reported multiple vulnerabilities in WonderDesk SQL, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
1) Input passed via the "cus_email" parameter to wonderdesk.cgi (when "do" is set to "cust_lostpw") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed via the "help_name", "help_email", "help_website", and "help_example_url" parameters to wonderdesk.cgi (when "do" is set to "hd_modify_record") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
The vulnerabilities are reported in version 4.14. Other versions may also be affected.
|
