CVE-2009-4567 in Viscachainfo

Summary

by MITRE

Multiple cross-site scripting (XSS) vulnerabilities in editprofile.php in Viscacha 0.8 Gold allow remote authenticated users to inject arbitrary web script or HTML via the (1) skype, (2) yahoo, (3) aol, (4) msn, or (5) jabber parameter in a profile2 action. NOTE: some of these details are obtained from third party information.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 09/16/2025

The vulnerability identified as CVE-2009-4567 represents a critical cross-site scripting flaw discovered in the Viscacha 0.8 Gold web application's profile management functionality. This vulnerability specifically affects the editprofile.php script and manifests when authenticated users interact with the profile2 action, creating a pathway for malicious actors to execute arbitrary web scripts or HTML code within the context of other users' browsers. The flaw resides in the insufficient input validation and output encoding mechanisms implemented for several instant messaging identifier parameters within the user profile editing interface.

The technical implementation of this vulnerability stems from the application's failure to properly sanitize user-supplied input values before rendering them in web pages. Attackers can exploit this weakness by crafting malicious payloads in the skype, yahoo, aol, msn, or jabber parameters during profile updates. These parameters are typically used to store user contact information for various instant messaging platforms, making them prime targets for injection attacks. The vulnerability operates under CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output encoding, specifically addressing the failure to properly escape or encode user-controllable data before incorporating it into dynamic web content.

The operational impact of this vulnerability extends beyond simple data theft or defacement, as it enables attackers to execute malicious code within the context of authenticated user sessions. This creates a significant risk for privilege escalation and session hijacking attacks, as the injected scripts can access the victim's session cookies and potentially perform actions with the privileges of the compromised user. The authenticated nature of the vulnerability means that attackers do not need to compromise user credentials directly, instead leveraging the legitimate user's session to execute malicious operations. This aligns with ATT&CK technique T1531 which describes the use of credentials from password reuse to maintain access.

The exploitation of this vulnerability requires minimal technical skill and can be accomplished through standard web application penetration testing methodologies. Attackers can craft specially formatted profile updates containing malicious JavaScript code that executes when other users view the compromised profile information. The persistence of these attacks is enhanced by the fact that the malicious code executes in the context of the victim's browser session, potentially allowing for long-term surveillance, data exfiltration, or further compromise of the application environment. Organizations using Viscacha 0.8 Gold should implement immediate mitigations including input validation, output encoding, and proper parameter sanitization to address this vulnerability.

Mitigation strategies should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application's profile management components. The most effective approach involves sanitizing all user-supplied data before storage and properly encoding all output to prevent script execution in browser contexts. Organizations should also consider implementing Content Security Policy headers to limit the execution of inline scripts and restrict external resource loading. Regular security audits and input validation testing should be conducted to identify similar vulnerabilities in other application components. The vulnerability demonstrates the importance of following secure coding practices and implementing defense-in-depth strategies to protect against injection attacks that can compromise user sessions and application integrity.

Reservation

01/05/2010

Disclosure

01/05/2010

Moderation

accepted

Entry

VDB-51430

CPE

ready

Exploit

Download

EPSS

0.01252

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!