Users of Squirrelmail plugin Virtual Keyboard 0.9.1 please be advised of a cross site scripting (XSS) vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)
Amplify’d from www.criticalwatch.com
Squirrelmail-SA-10/5/2010: XSS in Squirrelmail plugin Virtual Keyboard 0.9.1
Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is
vulnerable to cross site scripting (XSS).
The vkeyboard.php script fails to sanitize the value of HTTP GET
parameter 'passformname' which the script stores in a variable of the
same name and outputs (unmodified) into a HTML document later. As such,
it is possible to inject client-evaluated HTML and script code into the
output generated by the application.
Read more at www.criticalwatch.com
See this Amp at http://bit.ly/bs9nbZ
No comments:
Post a Comment