Description
Multiple cross-site scripting (XSS) vulnerabilities in DiamondList 0.1.6, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) category[description] parameter to user/main/update_category, which is not properly handled by _app/views/categories/index.html.erb; and the (2) setting[site_title] parameter to user/main/update_settings, which is not properly handled by _app/views/settings/_list_settings.rhtml.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/34413
exploitdb
WORKING POC
VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/34414
References (10)
Core 10
Core References
Exploit mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/512892
Issue Tracking x_refsource_confirm
http://dev.hulihanapplications.com/issues/show/211
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/40873
Vendor Advisory x_refsource_misc
http://www.htbridge.ch/advisory/xss_vulnerability_in_diamondlist_1.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/512897/100/0/threaded
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2025
Vendor Advisory x_refsource_misc
http://www.htbridge.ch/advisory/xss_vulnerability_in_diamondlist.html
Exploit x_refsource_confirm
http://dev.hulihanapplications.com/issues/show/213
Exploit x_refsource_misc
http://packetstormsecurity.org/1008-exploits/diamondlist-xssxsrf.txt
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/42252
Scores
EPSS
0.1526
EPSS Percentile
94.6%
Details
CWE
CWE-79
Status
published
Products (1)
hulihanapplications/diamondlist
0.1.6
Published
Aug 16, 2010
Tracked Since
Feb 18, 2026