oss-sec mailing list archives
Re: Dokeos 2.1.1 Multiple Stored XSS Vulnerabilities
From: cve-assign () mitre org
Date: Fri, 7 Feb 2014 20:37:00 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I have discovered several Stored XSS vulnerabilities in Dokeos ... Version 2.1.1. *Path:* /dokeos-2.1.1/main/auth/profile.php *Issue detail:* The problem is script does not sanitise the following parameters, "Phone" "Street" "Address line" "Zip code" "City" *Path:* /dokeos-2.1.1/main/social/groups.php?id=1 *Issue detail:* The problem is that if attacker were to enter the following XSS vector as the "Subject Topic". *Path:* /dokeos-2.1.1/main/messages/view_message.php?id=6&f=social The problem is similar to issue #2 if attacker were to enter the following XSS vector in the Message itself. 2014-01-15 - Third Vendor Notification (no reply). Please see the full report at http://www.xchg.info/?p=381
Use CVE-2014-1877. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS9YlaAAoJEKllVAevmvms7vAIAMFBjcin6+PpSaEPEtCPZ9Pg YzJaLhwkLs8p84agFepywNokm1zbQXxAgQcI5vrljXBb6SOMlatCINxCLWg1M7ml ndMKgiLoZF3m4a/S54VxGLIdnG3+JBu6kAfJKhTWU6eHYAtDCHKIKLFpkx8ESvl2 ksJaBN2kaTI5iT0FnmThc23GarhNuL5GTSf0kk+9HQw87eDarJzEfO9n4/4t7gLO QouDv+JzBeohq1VaHa97d0nLgq1y/4SResQsltlUkE0zj6K0ILflKCKl5/OF5MUl x9nj1ocHe9uc2XD/kcSr+PjcWXKmJUhx3FloUoPdZA8q7WhxP+aibLSLUkczD5o= =6Mg2 -----END PGP SIGNATURE-----
Current thread:
- Dokeos 2.1.1 Multiple Stored XSS Vulnerabilities Gunther (Feb 05)
- Re: Dokeos 2.1.1 Multiple Stored XSS Vulnerabilities cve-assign (Feb 07)