Network-weathermap .network Weathermap up to 0.96 editor.php map_title cross site scripting

Summaryinfo

A vulnerability classified as problematic has been found in Network-weathermap .network Weathermap up to 0.96. This affects an unknown function of the file editor.php. Performing a manipulation of the argument map_title results in cross site scripting. This vulnerability is reported as CVE-2013-2618. The attack is possible to be carried out remotely. Moreover, an exploit is present. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in Network-weathermap .network Weathermap up to 0.96. This affects some unknown processing of the file editor.php. The manipulation of the argument map_title with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. The summary by CVE is:

Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.

The weakness was disclosed 06/05/2014 (Website). The advisory is shared at exploit-db.com. This vulnerability is uniquely identified as CVE-2013-2618 since 03/18/2013. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details and a public exploit are known. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

A public exploit has been developed by Daniel Ricardo dos Santos and been published before and not just after the advisory. The exploit is shared for download at exploit-db.com. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 429 days. During that time the estimated underground price was around $0-$5k. By approaching the search of inurl:editor.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 0.97 eliminates this vulnerability.

The vulnerability is also documented in the databases at X-Force (83187), Exploit-DB (24913), SecurityFocus (BID 58793†) and OSVDB (91869†). The entry VDB-69958 is pretty similar. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Network-weathermap

Name

• .network Weathermap

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.8
• 0.9
• 0.10
• 0.11
• 0.12
• 0.13
• 0.14
• 0.15
• 0.16
• 0.17
• 0.18
• 0.19
• 0.20
• 0.21
• 0.22
• 0.23
• 0.24
• 0.25
• 0.26
• 0.27
• 0.28
• 0.29
• 0.30
• 0.31
• 0.32
• 0.33
• 0.34
• 0.35
• 0.36
• 0.37
• 0.38
• 0.39
• 0.40
• 0.41
• 0.42
• 0.43
• 0.44
• 0.45
• 0.46
• 0.47
• 0.48
• 0.49
• 0.50
• 0.51
• 0.52
• 0.53
• 0.54
• 0.55
• 0.56
• 0.57
• 0.58
• 0.59
• 0.60
• 0.61
• 0.62
• 0.63
• 0.64
• 0.65
• 0.66
• 0.67
• 0.68
• 0.69
• 0.70
• 0.71
• 0.72
• 0.73
• 0.74
• 0.75
• 0.76
• 0.77
• 0.78
• 0.79
• 0.80
• 0.81
• 0.82
• 0.83
• 0.84
• 0.85
• 0.86
• 0.87
• 0.88
• 0.89
• 0.90
• 0.91
• 0.92
• 0.93
• 0.94
• 0.95
• 0.96

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion