CVE-2003-0483
CVSS6.8
发布时间 :2003-08-07 00:00:00
修订时间 :2016-10-17 22:34:26
NMCOES    

[原文]Cross-site scripting (XSS) vulnerabilities in XMB Forum 1.8 Partagium allow remote attackers to insert arbitrary script via (1) the member parameter to member.php or (2) the action parameter to buddy.php.


[CNNVD]XMB Forum多个跨站脚本和HTML注入漏洞。(CNNVD-200308-003)

        XMB Forum 1.8 Partagium存在跨站脚本(XSS)漏洞。远程攻击者借助(1)member.php的member参数或者(2)buddy.php的action参数插入任意脚本。

- CVSS (基础分值)

CVSS分值: 6.8 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0483
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0483
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-003
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105638720409307&w=2
(UNKNOWN)  BUGTRAQ  20030623 Many XSS Vulnerabilities in XMB Forum.

- 漏洞信息

XMB Forum多个跨站脚本和HTML注入漏洞。
中危 跨站脚本
2003-08-07 00:00:00 2005-10-20 00:00:00
远程  
        XMB Forum 1.8 Partagium存在跨站脚本(XSS)漏洞。远程攻击者借助(1)member.php的member参数或者(2)buddy.php的action参数插入任意脚本。

- 公告与补丁

        A vendor update is available. Contact the vendor for more information.

- 漏洞信息 (22821)

XMB Forum 1.8 buddy.php action Parameter XSS (EDBID:22821)
php webapps
2003-06-23 Verified
0 Knight Commander
N/A [点击下载]
source: http://www.securityfocus.com/bid/8013/info
 
XMB Forum has been reported prone to multiple cross-site scripting and HTML-injection vulnerabilities because the application fails to sanitize user-supplied data.
 
An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user.

http://www.example.com/XMBforum/buddy.php?action=<script>alert('XSS')</script>&buddy=<script>alert('XSS')</script>		

- 漏洞信息

23073
XMB Forum buddy.php action Parameter XSS
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public

- 漏洞描述

XMB Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'action' variable upon submission to the 'buddy.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2003-06-22 Unknow
2003-06-22 Unknow

- 解决方案

Upgrade to version 1.8 Partagium Final SP1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

XMB Forum Multiple Cross-Site Scripting And HTML Injection Vulnerabilities
Input Validation Error 8013
Yes No
2003-06-23 12:00:00 2008-09-11 07:10:00
Discovery of this vulnerability has been credited to Knight Commander <knight4vn@yahoo.com>.

- 受影响的程序版本

XMB Forum 1.8 SP1
XMB Forum 1.8
XMB Forum 1.9.8 SP2

- 不受影响的程序版本

XMB Forum 1.9.8 SP2

- 漏洞讨论

XMB Forum has been reported prone to multiple cross-site scripting and HTML-injection vulnerabilities because the application fails to sanitize user-supplied data.

An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user.

- 漏洞利用

The following proof of concept has been supplied:

http://www.example.com/XMBforum/member.phpaction=viewpro&amp;member=admin&amp;lt;script&amp;gt;alert('XSS')&amp;lt;/script&amp;gt;

http://www.example.com/XMBforum/buddy.php?action=&amp;lt;script&amp;gt;alert('XSS')&amp;lt;/script&amp;gt;&amp;buddy=&amp;lt;script&amp;gt;alert('XSS')&amp;lt;/script&amp;gt;

- 解决方案

A vendor update is available. Contact the vendor for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站