Katia Report post Posted November 30, 2011 Hello We conducted a security vulnerability of a web site currently developed using Fusion Charts and the following vulnerability shows up for every swf. "Fusion Charts - Content Spoofing / XSS The software Fusion Charts utilizes the FlashVar "dataXML" to allow for dynamic data paths and settings within the generated charts or graphs. The parameter does not currently validate data passed via the "dataXML" and allows an attacker to alter any chart hosted within the current domain and include malicious javascript that will execute when a user interacts with the altered chart." How can we fix this. Is there a patch or a workaround available? This question seems similar to the one Michelle posted on November 2nd: Validation For Dataxml Parameter For Pie Swf Files. Please Advise. Thanks! Katia Share this post Link to post Share on other sites
TedWatson Report post Posted December 31, 2011 (edited) Keep in mind it could be a false positive, but i would try contacting the vendor or developer just to be safe. You could try using another vulnerability scanner such as Sitewatch, which has a free XSS test. Edited December 31, 2011 by TedWatson Share this post Link to post Share on other sites
mystech Report post Posted January 12, 2012 Keep in mind it could be a false positive, but i would try contacting the vendor or developer just to be safe. You could try using another vulnerability scanner such as Sitewatch, which has a free XSS test. I assure you this is not a false positive. It's a known vulnerability related to CVE-2008-6060 and is applicable to all Fusion products. As you can see it's a known issue since 2008. http://web.nvd.nist....d=CVE-2008-6060 Share this post Link to post Share on other sites
