CVE-2007-1142
published 2007-03-02CVE-2007-1142: Cross-site scripting (XSS) vulnerability in Magic News Plus 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the link_parameters…
PriorityP416medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.52%
71.5th percentile
Cross-site scripting (XSS) vulnerability in Magic News Plus 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the link_parameters parameter in (1) news.php and (2) n_layouts.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| reamday_enterprises | magic_news_plus | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Magic News Plus 1.0.2 - 'news.php?&link_parameters' Cross-Site Scripting
exploitdb·2007-02-21
CVE-2007-1142 Magic News Plus 1.0.2 - 'news.php?&link_parameters' Cross-Site Scripting
Magic News Plus 1.0.2 - 'news.php?&link_parameters' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/22661/info
Magic News Pro is prone to multiple input-validation vulnerabilities because the application fails to properly sanitize user-supplied input. These issues include a remote file-include issue and two cross-site scripting vulnerabilities.
An attacker can exploit these issues to execute arbitrary PHP code in the context of the webserver process or to steal cookie-based authentication credentials. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
These issues affects version 1.0.2; other versions may also be vulnerable.
http://www.example.com/news.php?GLOBALS[]=1&link_parameters=">alert(document.cook
Exploit-DB
Magic News Plus 1.0.2 - 'n_layouts.php?link_parameters' Cross-Site Scripting
exploitdb·2007-02-21
CVE-2007-1142 Magic News Plus 1.0.2 - 'n_layouts.php?link_parameters' Cross-Site Scripting
Magic News Plus 1.0.2 - 'n_layouts.php?link_parameters' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/22661/info
Magic News Pro is prone to multiple input-validation vulnerabilities because the application fails to properly sanitize user-supplied input. These issues include a remote file-include issue and two cross-site scripting vulnerabilities.
An attacker can exploit these issues to execute arbitrary PHP code in the context of the webserver process or to steal cookie-based authentication credentials. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
These issues affects version 1.0.2; other versions may also be vulnerable.
http://www.example.com/n_layouts.php?link_parameters=">alert(document.cookie)
No writeups or analysis indexed.
http://osvdb.org/33136http://osvdb.org/33137http://securityreason.com/securityalert/2334http://www.securityfocus.com/archive/1/460902/100/0/threadedhttp://www.securityfocus.com/bid/22661http://osvdb.org/33136http://osvdb.org/33137http://securityreason.com/securityalert/2334http://www.securityfocus.com/archive/1/460902/100/0/threadedhttp://www.securityfocus.com/bid/22661
2007-03-02
Published