Executive Summary
| Summary | |
|---|---|
| Title | New tutos packages fix multiple vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-980 | First vendor Publication | 2006-02-22 |
| Vendor | Debian | Last vendor Modification | 2006-02-22 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Joxean Koret discovered several security problems in tutos, a web-based team organization software. The Common Vulnerabilities and Exposures Project identifies the following problems: CVE-2004-2161 An SQL injection vulnerability allows the execution of SQL commands through the link_id parameter in file_overview.php. CVE-2004-2162 Cross-Site-Scripting vulnerabilities in the search function of the address book and in app_new.php allow the execution of web script code. The old stable distribution (woody) does not contain tutos packages. For the stable distribution (sarge) these problems have been fixed in version 1.1.20031017-2+1sarge1. The unstable distribution (sid) does no longer contain tutos packages. We recommend that you upgrade your tutos package. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-980 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 980-1 (tutos) File : nvt/deb_980_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 10164 | TUTOS file_overview.php link_id Parameter SQL Injection TUTOS contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the link_id variable in the /file/file_overview.php?module is not verified properly and will allow an attacker to inject or manipulate SQL queries. |
| 5327 | TUTOS app_new.php t Parameter XSS TUTOS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 't' variable upon submission to the "app_new.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-980.nasl - Type : ACT_GATHER_INFO |
| 2004-09-21 | Name : The remote host has a PHP script that is affected by multiple vulnerabilities. File : tutos_sql_xss.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:34:56 |
|
