Joomla RSComments Component Two Script Insertion Vulnerabilities

SECUNIA ADVISORY ID:
SA40278

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40278/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40278

RELEASE DATE:
2010-06-23
DESCRIPTION:
Two vulnerabilities have been reported in the RSComments component
for Joomla, which can be exploited by malicious people to conduct
script insertion attacks.

Input passed via the "website" and "name" parameters to index.php
(when "option" is set to "com_rscomments") when posting a comment is
not properly sanitised before being used. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious data is being viewed.

The vulnerabilities are reported in version Rev 2. Other versions may
also be affected.

SOLUTION:
Update to version Rev 3.

PROVIDED AND/OR DISCOVERED BY:
jdc

ORIGINAL ADVISORY:
RSComments:
http://www.rsjoomla.com/customer-support/documentations/96--general-overview-of-the-component/393-changelog.html

RECENT ARTICLE

RECENT POST