VULHUB ™

A cross-site scripting vulnerability has been reported in the YaBB (Yet Another Bulletin Board) forum login script. HTML tags or script code are not sanitized from the error output of erroneous login attempts. As a result, it is possible for a remote attacker to create a malicious link to the login page of a site hosting the web forum. The malicious link may contain arbitrary HTML and script code in the password field. Visiting the link will cause attacker-supplied code to be executed in the web client of the user. It has been demonstrated that this vulnerability may be exploited to steal cookie-based authentication credentials. Furthermore, once an attacker has hijacked a user's session with the credentials it is possible to change that user's password without needing to further authenticate.

A cross-site scripting vulnerability has been reported in the YaBB (Yet Another Bulletin Board) forum login script. HTML tags or script code are not sanitized from the error output of erroneous login attempts. As a result, it is possible for a remote attacker to create a malicious link to the login page of a site hosting the web forum. The malicious link may contain arbitrary HTML and script code in the password field. Visiting the link will cause attacker-supplied code to be executed in the web client of the user. It has been demonstrated that this vulnerability may be exploited to steal cookie-based authentication credentials. Furthermore, once an attacker has hijacked a user's session with the credentials it is possible to change that user's password without needing to further authenticate.