Multiple vulnerabilities in Agora Project 2.13.1 could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS), Structured Query Language (SQL) injection, or blind SQL injection attacks.
The vulnerability exists because the affected software fails to perform sufficient validation and sanitation of user-supplied input when processing crafted URLs. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious link, or by submitting crafted requests designed to inject SQL statements to the targeted system. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information or to execute arbitrary SQL statements on the underlying database.
Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.
For additional information about XSS attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.
For additional information about SQL injection attacks and defenses, see Understanding SQL Injection
Administrators are advised to monitor affected systems.
Agora Project has not confirmed the vulnerability. Software updates are available at the following link; however, they are not confirmed to have resolved the vulnerability: Agora-Project 2.16.3