Full Disclosure mailing list archives
DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability
From: "DDI_Vulnerability_Alert" <DDI.VulnerabilityAlert () ddifrontline com>
Date: Mon, 9 Mar 2009 09:35:32 -0500
Title ----- DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability Severity -------- Low Date Discovered --------------- January 19th, 2009 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: David Marshall and r@b13$ Vulnerability Description ------------------------- Alterations of the title and message parameters in vBook allow attacks to specify arbitrary web or scripting content. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link. Solution Description -------------------- No patch is available at this time. Tested Systems / Software (with versions) ------------------------------------------ Windows Server 2003, IIS vBook v 4.2.17 Vendor Contact -------------- Vendor Name: Retrieve Technologies, Inc. Vendor Website: http://www.retrieve.com/index.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability DDI_Vulnerability_Alert (Mar 09)