Multiple vulnerabilities in Plogger version 1.0 Rc1 could allow an unauthenticated, remote attacker to conduct SQL injection, cross-site scripting, or cross-site request forgery attacks.
These vulnerabilities exist due to insufficient sanitization of user-supplied input by the affected software. An attacker could exploit these vulnerabilities by convincing a targeted user to open a crafted web page. An exploit could allow an attacker to execute arbitrary script in the browser of a targeted user within the security context of the affected site. Successful exploitation could allow an attacker access to sensitive browser-based information such as cookie-based authentication credentials, execute arbitrary SQL code on the underlying database, enabling the attacker to view, modify, or delete information.
Proof-of-concept code that exploits these vulnerabilities is publicly available.
Users should verify that unsolicited links are safe to follow.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
For additional information about SQL injection attacks and defenses, see Understanding SQL Injection
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors
For additional information about cross-site request forgery attacks and potential mitigation methods, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Request Forgery Threat Vectors
The vendor has not confirmed the vulnerability and updates are not available.