- 28 May 2008Advisories » All In One Control Panel (AIOCP) Unspecified Parameter Handling Remote Cross-Site Scripting Vulnerability
| Release Date: | 15/01/2007 | Severity: | Less Critical  |
| SecWatch Advisory: | SWID1016728 | Cause: | Input validation error |
| Solution Status: | Vendor Patch | Impact: | Cross Site Scripting |
| Exploit Status: | None Available | Access Vector: | From remote |
| Affected Software: | All In One Control Panel 1.x | ||
| Original Advisory: | http://sourceforge.net/project/shownotes.php?release_id=478370 |
||
| References: | FrSIRT/ADV-2007-0189 |
||
| CVE: | CVE-2007-0365 | ||
| Secunia: | SA23732 | ||
Description:
An input validation vulnerability in All In One Control Panel (AIOCP) has been reported, which can be exploited by remote users to conduct cross-site scripting attacks.
User-supplied input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Affected:
All In One Control Panel (AIOCP) versions prior to 1.3.010.
Solution:
The vulnerability has been fixed in version 1.3.10 or later.
Credits:
Reported by vendor.
Free Vulnerability Notification Service
Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.
Related Vulnerabilities and Exploits
15 Jan 07: All In One Control Panel (AIOCP) "xuser_name" and "did" Parameter..
12 Jan 07: All In One Control Panel "download_category" Parameter Handling R..
07 Nov 06: All In One Control Panel (AIOCP) Multiple SQL Injection and Cross..
07 Jun 07: All In One Control Panel "aiocp_dp" Parameter Handling Remote Cro..
03 May 07: All In One Control Panel (AIOCP) Remote Cross-Site Scripting Vuln..