Info

Disclosure

Jun 11, 2006

Discovery

Unknown

Dates

Exploit

Jun 11, 2006

Solution

Unknown

Description

Event Registration contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'select_events' variable upon submission to the event-registration.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Upgrade to version 26491 (2006-08-23) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the 2006-08-23 release without a change in version number. An upgrade is required as there are no known workarounds. In addition, The Cute Group has released a patch for some older versions.

Products

The Cute Group	Event Registration	26490
		26491

References

CVE ID: 2006-3052 (see also: NVD)
Secunia Advisory ID: 20640
Related OSVDB ID: 26490
VUPEN Advisory: ADV-2006-2345
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0179.html
http://attrition.org/pipermail/vim/2006-August/000983.html
Vendor URL: http://www.cescripts.com/

Credit

luny - lunyyoufucktard.com -

Direct URL: http://osvdb.org/26491