vBook Login Application 4.2.17 Cross-site Scripting Vulnerability

2010.06.16
Credit: ddivulnalert
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2009-4890
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title ----- DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability Severity -------- Low Date Discovered --------------- January 19th, 2009 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: David Marshall and r@b13$ Vulnerability Description ------------------------- Alterations of the title and message parameters in vBook allow attacks to specify arbitrary web or scripting content. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link. Solution Description -------------------- No patch is available at this time. Tested Systems / Software (with versions) ------------------------------------------ Windows Server 2003, IIS vBook v 4.2.17 Vendor Contact -------------- Vendor Name: Retrieve Technologies, Inc. Vendor Website: http://www.retrieve.com/index.html

References:

http://xforce.iss.net/xforce/xfdb/49161
http://www.securityfocus.com/bid/34046
http://www.securityfocus.com/archive/1/archive/1/501603/100/0/threaded


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top