| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2571D31D42513640AE1632FEE100E0E402DD7498@hypercom.defense.local>
Date: Mon, 9 Mar 2009 09:35:32 -0500
From: "DDI_Vulnerability_Alert" <DDI.VulnerabilityAlert@...frontline.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: DDIVRT-2009-21 vBook Login Application Cross-site
Scripting Vulnerability
Title
-----
DDIVRT-2009-21 vBook Login Application Cross-site Scripting
Vulnerability
Severity
--------
Low
Date Discovered
---------------
January 19th, 2009
Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@...$
Vulnerability Description
-------------------------
Alterations of the title and message parameters in vBook allow attacks
to specify arbitrary web or scripting content. This allows scripting
tags to be executed by the browser to perform XSS attacks. Such an
attack would require convincing a user to click on a specially crafted
link.
Solution Description
--------------------
No patch is available at this time.
Tested Systems / Software (with versions)
------------------------------------------
Windows Server 2003, IIS vBook v 4.2.17
Vendor Contact
--------------
Vendor Name: Retrieve Technologies, Inc.
Vendor Website: http://www.retrieve.com/index.html
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists