CNN.com Cross-Site Scripting Vulnerability
I love CNN, so I am not hating on them at all…
Just an FYI - I would probably refrain from browsing CNN for the meantime and definitely don't click on any articles within the My Recently Viewed Pages due to a cross site scripting vulnerability...
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss. (wikipedia.com)
A cross-site scripting vulnerability exists on CNN.com that could potentially allow unauthenticated, remote attackers to modify content on the website, which could lead to further attacks.
CNN.com is susceptible to a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary server-side scripting code.
While there have been no reported attacks, an exploit could potentially allow the attacker to modify content on CNN.com, such as posting false news stories or performing drive-by download attacks. Attackers could leverage this flaw to aid in spamming and phishing type attacks using CNN.com.
Administrators are advised to review the Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors.