CVE-2009-2565

Vulnerability

A cross-site scripting (XSS) vulnerability exists in shiromuku(fs6)DIARY version 2.40 and earlier, a web log software by Perl CGI's By Mrs. Shiromuku. The vulnerability allows remote attackers to inject arbitrary web script or HTML via unspecified vectors [1], [2], [3], [4].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or input that, when processed by the vulnerable application, injects arbitrary script or HTML. The attack requires no authentication and can be delivered over the network. User interaction is required, as the victim must visit a specially crafted URL or interact with the injected content [1], [2], [3].

Impact

Successful exploitation allows an attacker to execute arbitrary script in the user's web browser within the security context of the affected site. This could lead to information disclosure, session hijacking, or other malicious actions performed on behalf of the victim [2], [3].

Mitigation

The vendor released version 2.41 to address this vulnerability. Users of shiromuku(fs6)DIARY version 2.40 and earlier should upgrade to version 2.41 by replacing the slib folder with the latest version from the official download page [4]. No other workarounds are mentioned in the available references [2], [3], [4].