Re: Dokeos 2.1.1 Multiple Stored XSS Vulnerabilities

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I have discovered several Stored XSS vulnerabilities in Dokeos ...
> Version 2.1.1.
>
> *Path:* /dokeos-2.1.1/main/auth/profile.php
>
> *Issue detail:*
> The problem is script does not sanitise the following parameters, "Phone"
> "Street" "Address line" "Zip code" "City"
>
>
> *Path:* /dokeos-2.1.1/main/social/groups.php?id=1
>
> *Issue detail:*
> The problem is that if attacker were to enter the following XSS vector as
> the "Subject Topic".
>
>
> *Path:* /dokeos-2.1.1/main/messages/view_message.php?id=6&f=social
>
> The problem is similar to issue #2 if attacker were to enter the following
> XSS vector in the Message itself.
>
> 2014-01-15 - Third Vendor Notification (no reply).
> Please see the full report at http://www.xchg.info/?p=381

Use CVE-2014-1877.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS9YlaAAoJEKllVAevmvms7vAIAMFBjcin6+PpSaEPEtCPZ9Pg
YzJaLhwkLs8p84agFepywNokm1zbQXxAgQcI5vrljXBb6SOMlatCINxCLWg1M7ml
ndMKgiLoZF3m4a/S54VxGLIdnG3+JBu6kAfJKhTWU6eHYAtDCHKIKLFpkx8ESvl2
ksJaBN2kaTI5iT0FnmThc23GarhNuL5GTSf0kk+9HQw87eDarJzEfO9n4/4t7gLO
QouDv+JzBeohq1VaHa97d0nLgq1y/4SResQsltlUkE0zj6K0ILflKCKl5/OF5MUl
x9nj1ocHe9uc2XD/kcSr+PjcWXKmJUhx3FloUoPdZA8q7WhxP+aibLSLUkczD5o=
=6Mg2
-----END PGP SIGNATURE-----