September 11, 2013 at 8:57 pm #8578AndyPParticipant
Advisory ID: HTB23170
Vendor: Wikka Development Team
Vulnerable Versions: 1.3.4 and probably prior
Tested Version: 1.3.4
Vendor Notification: August 21, 2013
Vendor Fix: August 31, 2013
Public Disclosure: September 11, 2013
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-5586
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
High-Tech Bridge Security Research Lab discovered vulnerability in WikkaWiki, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.
1) Cross-Site Scripting (XSS) in WikkaWiki: CVE-2013-5586
The vulnerability exists due to insufficient sanitisation of user-supplied data in “wakka” HTTP GET parameter passed to “/sql/” URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Update to Wikka 1.3.4-p1
 High-Tech Bridge Advisory HTB23170 – Cross-Site Scripting (XSS) in WikkaWiki.
 WikkaWiki – http://www.wikkawiki.org – WikkaWiki is a flexible, standards-compliant and lightweight wiki engine written in PHP, which uses MySQL to store pages.
 Common Vulnerabilities and Exposures (CVE) – http://cve.mitre.org/ – international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) – http://cwe.mitre.org – targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® – is High-Tech Bridge’s proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
- You must be logged in to reply to this topic.