-->
SecPod ID: 10221 Status: Public Report
Facebook Multiple Cross Site Scripting Vulnerability Severity: High
Release Date: 16-12-2008
CVSS Base Score: 9.4 (AV:N/AC:L/Au:NR/C:C/I:C/A:N)
CVSS Temporal Score = 7.4
Impact Level: Application
Affected Software/OS/Device:
- Facebook Web Application
OpenVAS Plugin ID:
Snort Signature ID:
OVAL ID:
Vulnerability Insight:
Overview:
Facebook is prone to Multiple Cross Site Scripting Vulnerabilities.
Description:
These flaws are due to,
- Multiple cross site scripting bugs in Facebook web application in profile
page, new user registration page, iPhone login page and developer page which
lets the attacker execute several xss strings in the context of the facebook
web application.
Impact:
Successful exploitation will let the attacker execute arbitrary strings in the
context of the facebook web application through XSS attack strings and can
hijack sessions, cookies etc.
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = COMPLETE
INTEGRITY_IMPACT = COMPLETE
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = OFFICIAL_FIX
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 9.4 (AV:N/AC:L/Au:NR/C:C/I:C/A:N)
CVSS Temporal Score = 7.4
Risk factor = High
Fix:
Bug is fixed according to XSSED. No further information is available.
References:
http://www.xssed.com/news/80/New_highly_critical_Facebook_XSS_vulnerabilities_pose_serious_privacy_risks