PT-2011-4790 · Lightneasy · Lightneasy

Published

2011-10-04

Updated

2018-10-09

CVE-2011-3978

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions LightNEasy version 3.2.4

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via specific parameters in a sendcomment action for the news page. The vulnerable parameters are commentemail, commentmessage, and commentname.

Recommendations For LightNEasy version 3.2.4, consider restricting access to the sendcomment action for the news page until a fix is available, and avoid using the parameters commentemail, commentmessage, and commentname in this action to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2011-3978

Affected Products

Lightneasy

PT-2011-4790 · Lightneasy · Lightneasy

CVE-2011-3978

Weakness Enumeration

Related Identifiers

Affected Products

References · 9