OpenGoo 1.3.1 exhibits vulnerabilities which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct script insertion attacks.

1) Input passed via the "search_for" parameter in index.php when performing a search is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

2) Input passed via the "webpage[url]" parameter when adding a web link is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when the malicious Web Link is viewed, e.g. in a shared workspace.

The vulnerabilities are confirmed in version 1.3 and 1.3.1. Other versions may also be affected.

CVE-2009-pending

BID: 34428

FrSIRT: N/A

Nessus:N/A

OSVDB: 53418 , 53419

SA: 34420

XF: 49729, 49730  

Related: 

Vendor Solution: