Multiple vulnerabilities in Plogger could allow an unauthenticated, remote attacker to conduct SQL injection, cross-site scripting, or cross-site request forgery attacks.
These vulnerabilities exist due to insufficient sanitization of user-supplied input by the affected software. An attacker could exploit these vulnerabilities by convincing a targeted user to open crafted web page. An exploit could allow an attacker to execute arbitrary script in the user's browser in the security context of the affected site. This may allow the attacker to access sensitive browser-based information such as cookie-based authentication credentials. An attacker could also execute arbitrary SQL commands on the underlying database, enabling the attacker to view, modify, or delete information.
Proof-of-concept code that exploits these vulnerabilities is publicly available.
Users should verify that unsolicited links are safe to follow.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
For additional information about SQL injection attacks and defenses, see Understanding SQL Injection
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors
The vendor has not confirmed the vulnerability and updates are not available.