jCore versions 1.0pre and prior contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks on a targeted system.
The vulnerability is due to insufficient validation of user-supplied input by the /admin/index.php
page of the affected software. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious link that contains a crafted path
GET parameter. When a user visits the link, it could allow the attacker to execute arbitrary script code in the user browser session under the context of the affected web site. This could allow the attacker to access browser-based sensitive information such as authentication cookies and recently submitted data.
Proof-of-concept code that exploits this vulnerability is publicly available.
To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the link.
Users should verify that unsolicited links are safe to follow. Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
jCore has confirmed the vulnerability at the following link: CVE-2012-4231
. jCore has released updated software at the following link: jCore version 1.0pre2