CVE-2009-4908
Description
Multiple cross-site scripting (XSS) vulnerabilities in oBlog allow remote attackers to inject arbitrary web script or HTML via the (1) commentName, (2) commentEmail, (3) commentWeb, or (4) commentText parameter to article.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via the (5) article_id or (6) title parameter to admin/write.php, the (7) category_id or (8) category_name parameter to admin/groups.php, the (9) blogroll_id or (10) title parameter to admin/blogroll.php, or the (11) blog_name or (12) tag_line parameter to admin/settings.php.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
oBlog - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Brute Force
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| dootzky | oblog | | |
References
- http://osvdb.org/60906
- http://packetstormsecurity.org/0912-exploits/oblog-xssxsrf.txt
- http://secunia.com/advisories/37661
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54713
- http://osvdb.org/60906
- http://packetstormsecurity.org/0912-exploits/oblog-xssxsrf.txt
- http://secunia.com/advisories/37661
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54713
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.