Quipux Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Quipux version 4.0.1 through commit e1774ac. The issue arises in the file 'anexos/anexos_nuevo.php', where the POST parameter 'asocImgRad' is directly inserted into the HTML output without proper sanitization. This vulnerability can be exploited to steal cookies and other private information, or to perform actions on behalf of the user, although the POST nature of the parameter complicates the attack.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute scripts in the context of the user's session.

Reproduction

To reproduce this vulnerability, send a POST request to 'anexos/anexos_nuevo.php' with the 'asocImgRad' parameter containing the malicious script. The absence of input validation will result in the script being executed in the user's browser.

Remediation

It is recommended to sanitize user input before displaying it in HTML. Implementing Content Security Policies can also help mitigate XSS risks by restricting the execution of inline scripts. Additionally, applying CSRF tokens can reduce the impact of potential XSS vulnerabilities.