Dokeos 2.1.1 XSS CVE-2012-5776

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have assigned CVE-2012-5776 for all of the XSS issues involving
"extra_" parameters in main/auth/profile.php in Dokeos 2.1.1; see

  http://www.securityfocus.com/archive/1/524564

Here is a possibly relevant code excerpt from the Dokeos
main/admin/registration_step3.php file:

// extra default values
$defaults['extra_street']       = 
isset($_SESSION['user_info']['extra_street'])?$_SESSION['user_info']['extra_street']:'';
$defaults['extra_addressline2'] = 
isset($_SESSION['user_info']['extra_addressline2'])?$_SESSION['user_info']['extra_addressline2']:'';
$defaults['extra_zipcode']      = 
isset($_SESSION['user_info']['extra_zipcode'])?$_SESSION['user_info']['extra_zipcode']:'';
$defaults['extra_city']         = isset($_SESSION['user_info']['extra_city'])?$_SESSION['user_info']['extra_city']:'';
$defaults['extra_organization'] = 
isset($_SESSION['user_info']['extra_organization'])?$_SESSION['user_info']['extra_organization']:'';
if ($iden == 0 && $wish == 0) {
    $defaults['extra_phone'] = isset($_SESSION['user_info']['extra_phone'])?$_SESSION['user_info']['extra_phone']:'';
}

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)

iQEcBAEBAgAGBQJQlCVhAAoJEGvefgSNfHMdVn4H/1ja+VHgAZV85AfOzieg3k0A
PSKLu77HeSIEmPMoJNyQMWcEpPlu/T/Oj7E/ktXssU6PIoXsct+7HGKjN1aSDAlY
REk+uxTOt1ByQMb9EmHt01/V7Jw/j/fD4itykmzerBKx3x7Xy69k5NRWiySbCsSs
DYppdKN6vUTBQFpMPayTv56ii5QwQ7xAqg+yUeC0HJuJxh+hOE0mYHRteOQDxQcx
sr70AACcax3/OOl900YO+X/NSAOw0tW4CEhMIyhrFCyHFcNSQRG/s2EameVzD6BO
DdtANg3nvaypKR3a4EQ2cFSDvX2zXCYhd8iqbMm4M2n1aLseNeGfdd5zc4BRICM=
=OeB+
-----END PGP SIGNATURE-----