CVE-2009-4416

Sažetak

Cross-site scripting (XSS) vulnerability in login.php in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter whose name begins with the "phpgw_" sequence.

Reference

http://kambing.ui.ac.id/gentoo-portage/www-apps/phpgroupware/files/phpgroupware-SA35519.patch
http://secunia.com/advisories/35519
http://svn.savannah.gnu.org/viewvc/branches/Version-0_9_16-branch/login.php?r1=19063&r2=19117&pathrev=19117&sortby=date&root=phpgroupware
http://svn.savannah.gnu.org/viewvc/branches/Version-0_9_16-branch/phpgwapi/doc/CHANGELOG?r1=17045&r2=19117&pathrev=19117&sortby=date&root=phpgroupware
http://svn.savannah.gnu.org/viewvc?view=rev&root=phpgroupware&sortby=date&revision=19117
http://www.openwall.com/lists/oss-security/2009/12/20/1
http://www.osvdb.org/56179
http://www.securityfocus.com/bid/35761
https://exchange.xforce.ibmcloud.com/vulnerabilities/51923

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

17-08-2017 - 01:31

Objavljeno

24-12-2009 - 16:30