Poweradmin index.php XSS

medium Nessus Plugin ID 62385

Synopsis

The remote web server hosts a PHP script that is affected by a cross-site scripting vulnerability.

Description

The Poweradmin install hosted on the remote web server is affected by a cross-site scripting vulnerability because it fails to properly sanitize user input appended to the URL of the 'index.php' script. An attacker may be able to leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

Solution

Upgrade to version 2.1.6 or later.

See Also

http://www.nessus.org/u?76115f5b

http://www.nessus.org/u?fe4b4f6e

http://www.nessus.org/u?559bd5a7

Plugin Details

Severity: Medium

ID: 62385

File Name: poweradmin_index_xss.nasl

Version: 1.10

Type: remote

Published: 10/1/2012

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: x-cpe:/a:poweradmin:poweradmin

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/7/2012

Vulnerability Publication Date: 9/4/2012

Reference Information

BID: 55619

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990