Executive Summary
Summary | |
---|---|
Title | ProjectForum XSS vulnerability |
Informations | |||
---|---|---|---|
Name | VU#901251 | First vendor Publication | 2011-09-30 |
Vendor | VU-CERT | Last vendor Modification | 2011-09-30 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#901251ProjectForum XSS vulnerabilityOverviewProjectForum 7.0.1.3038 and possibly previous versions, are vulnerable to cross site scripting (XSS).I. DescriptionCourseForum's ProjectForum software fails to sanitize all input fields. As a result, cross site scripting (XSS) attacks can be conducted. By default, a non-credentialed user can create a new webpage on a ProjectForum wiki. Each ProjectForum wiki page contains a "more" object which allows a listing of objects associated with the ProjectForum wiki webpage. An attacker can inject javascript code that will be run each time the ProjectForum wiki webpage is accessed by renaming one of the ProjectForum wiki associated objects and inserting javascript code as the name.For example, the following javascript code can be injected into the listing of objects variable: Restrict access
Referenceshttp://courseforum.com/pf/index.html Thanks to Paul Davis for reporting this vulnerability. This document was written by Michael Orlando.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/901251 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
75996 | ProjectForum Page Renaming newname Parameter XSS |