CVE-2009-4908
published 2010-06-25CVE-2009-4908: Multiple cross-site scripting (XSS) vulnerabilities in oBlog allow remote attackers to inject arbitrary web script or HTML via the (1) commentName, (2)…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.49%
70.8th percentile
Multiple cross-site scripting (XSS) vulnerabilities in oBlog allow remote attackers to inject arbitrary web script or HTML via the (1) commentName, (2) commentEmail, (3) commentWeb, or (4) commentText parameter to article.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via the (5) article_id or (6) title parameter to admin/write.php, the (7) category_id or (8) category_name parameter to admin/groups.php, the (9) blogroll_id or (10) title parameter to admin/blogroll.php, or the (11) blog_name or (12) tag_line parameter to admin/settings.php.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
oBlog - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Brute Force
exploitdb·2009-12-11
CVE-2009-4908 oBlog - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Brute Force
oBlog - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Brute Force
---
[-------------------------------------------------------------------------------------------------]
[ Application: oBlog ]
[ Version: the only one there is :) ]
[ Download: http://www.dootzky.com/images/projects/oBlog.zip ]
[ Author of this full disclosure: Milos Zivanovic ]
[ Vulnerabilities: Persistant XSS, CSRF, Admin Bruteforce... ]
[-------------------------------------------------------------------------------------------------]
Author of the application is contacted and author of this paper is not responsible for anything
you do after reading this text.
[#] Content:
|--Persistant XSS
| |
| |--Vulnerable function
| |--XSS in article comments
| |--XSS in add new article / Edit article, Nas
Exploit-DB
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
exploitdb·2009-07-28
CVE-2011-4908 TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
---
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure
Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Affected Products:
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser plugin
Author: Bryn Jones (http://www.lunarvis.com)
Author Contacted: Yes
Reply: No reply
Product Overview
TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
file browser to view, upload, delete, renam
No writeups or analysis indexed.
http://osvdb.org/60906http://packetstormsecurity.org/0912-exploits/oblog-xssxsrf.txthttp://secunia.com/advisories/37661https://exchange.xforce.ibmcloud.com/vulnerabilities/54713http://osvdb.org/60906http://packetstormsecurity.org/0912-exploits/oblog-xssxsrf.txthttp://secunia.com/advisories/37661https://exchange.xforce.ibmcloud.com/vulnerabilities/54713
2010-06-25
Published