SparkleBlog Journal.php HTML Injection Vulnerability =>v2.1 (all versions vulnerable)
SparkleBlog is prone to HTMl injection attacks. It is possible for a malicious
SparkleBlog user to inject hostile HTML script code into the commentary via
form fields. This code may be rendered in the browser of a web user who views
the commentary of SparkleBlog.
SparkleBlog does not adequately filter HTMl tags from various fields. This may
enable an attacker to inject arbitrary script code into pages that are
generated by SparkleBlog
example:
put <script>alert('test')</script> in the "name:" tag in
http://localhost/journal.php?id=1
SparkleBlog home page: http://www.creamed-coconut.org/