oss-sec mailing list archives
Dokeos 2.1.1 XSS CVE-2012-5776
From: cve-assign () mitre org
Date: Fri, 2 Nov 2012 15:58:50 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have assigned CVE-2012-5776 for all of the XSS issues involving "extra_" parameters in main/auth/profile.php in Dokeos 2.1.1; see http://www.securityfocus.com/archive/1/524564 Here is a possibly relevant code excerpt from the Dokeos main/admin/registration_step3.php file: // extra default values $defaults['extra_street'] = isset($_SESSION['user_info']['extra_street'])?$_SESSION['user_info']['extra_street']:''; $defaults['extra_addressline2'] = isset($_SESSION['user_info']['extra_addressline2'])?$_SESSION['user_info']['extra_addressline2']:''; $defaults['extra_zipcode'] = isset($_SESSION['user_info']['extra_zipcode'])?$_SESSION['user_info']['extra_zipcode']:''; $defaults['extra_city'] = isset($_SESSION['user_info']['extra_city'])?$_SESSION['user_info']['extra_city']:''; $defaults['extra_organization'] = isset($_SESSION['user_info']['extra_organization'])?$_SESSION['user_info']['extra_organization']:''; if ($iden == 0 && $wish == 0) { $defaults['extra_phone'] = isset($_SESSION['user_info']['extra_phone'])?$_SESSION['user_info']['extra_phone']:''; } - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (SunOS) iQEcBAEBAgAGBQJQlCVhAAoJEGvefgSNfHMdVn4H/1ja+VHgAZV85AfOzieg3k0A PSKLu77HeSIEmPMoJNyQMWcEpPlu/T/Oj7E/ktXssU6PIoXsct+7HGKjN1aSDAlY REk+uxTOt1ByQMb9EmHt01/V7Jw/j/fD4itykmzerBKx3x7Xy69k5NRWiySbCsSs DYppdKN6vUTBQFpMPayTv56ii5QwQ7xAqg+yUeC0HJuJxh+hOE0mYHRteOQDxQcx sr70AACcax3/OOl900YO+X/NSAOw0tW4CEhMIyhrFCyHFcNSQRG/s2EameVzD6BO DdtANg3nvaypKR3a4EQ2cFSDvX2zXCYhd8iqbMm4M2n1aLseNeGfdd5zc4BRICM= =OeB+ -----END PGP SIGNATURE-----
Current thread:
- Dokeos 2.1.1 XSS CVE-2012-5776 cve-assign (Nov 02)