Amplify’d from www.criticalwatch.com
Squirrelmail-SA-10/5/2010: XSS in Squirrelmail plugin Virtual Keyboard 0.9.1
Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is
vulnerable to cross site scripting (XSS).
The vkeyboard.php script fails to sanitize the value of HTTP GET
parameter 'passformname' which the script stores in a variable of the
same name and outputs (unmodified) into a HTML document later. As such,
it is possible to inject client-evaluated HTML and script code into the
output generated by the application.
Read more at www.criticalwatch.com
See this Amp at http://bit.ly/bU1G3T
No comments:
Post a Comment