|发布时间 :2005-05-02 00:00:00|
|修订时间 :2008-09-10 15:37:32|
[原文]** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: this candidate was created as a result of an analysis error for a researcher advisory for an issue that already existed. It stated an incorrect parameter, which was not part of the vulnerability at all. Notes: CVE users should not reference this candidate at all.
[机译]* REJECT **不要使用该候选号码。
- CVSS (基础分值)
- CPE (受影响的平台与产品)
- OVAL (用于检测的技术细节)
|PAFileDB ID Parameter Cross-Site Scripting Vulnerability|
|Input Validation Error||12952|
|2005-03-31 12:00:00||2009-07-12 11:56:00|
|Discovery is credited to Diabolic Crab <firstname.lastname@example.org>. SecurityReason <email@example.com> may also have independently discovered this issue.|
|PHP Arena paFileDB 3.1
PHP Arena paFileDB 3.0 Beta 3.1
PHP Arena paFileDB 3.0
PHP Arena paFileDB 2.1.1
PHP Arena paFileDB 1.1.3
|paFileDB is reported prone to a cross-site scripting vulnerability.
The vulnerability presents itself when an attacker supplies malicious HTML and script code through the 'id' parameter.
This may allow for theft of cookie-based authentication credentials or other attacks.
paFileDB 3.1 and prior versions are affected by this vulnerability.
This issue may be related to BID 12788 (PAFileDB Multiple SQL Injection And Cross-Site Scripting Vulnerabilities) and BID 12758 (PHP Arena PAFileDB Multiple Remote Cross Site Scripting Vulnerabilities). This BID will be retired or updated upon further analysis.
An exploit is not required.
The following proof of concept is available:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.