vtiger CRM 4.2 - RSS Aggregation Module Feed Cross-Site Scripting

CVE编号

CVE-2005-3818

利用情况

暂无

补丁情况

N/A

披露时间

2005-11-26

漏洞描述

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER['PHP_SELF'] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://secunia.com/advisories/17693
http://securitytracker.com/id?1015271
http://www.hardened-php.net/advisory_232005.105.html
http://www.osvdb.org/21227
http://www.osvdb.org/21228
http://www.osvdb.org/21229
http://www.osvdb.org/21230
http://www.securityfocus.com/archive/1/417730/30/0/threaded
http://www.securityfocus.com/bid/15562
http://www.vupen.com/english/advisories/2005/2569
https://exchange.xforce.ibmcloud.com/vulnerabilities/23362
https://exchange.xforce.ibmcloud.com/vulnerabilities/23363

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	vtiger	vtiger_crm	*		Up to (including) 4.2

CVSS3评分 4.3

• 攻击路径 网络
• 攻击复杂度 N/A
• 权限要求 无
• 影响范围 N/A
• 用户交互 无
• 可用性 无
• 保密性 无
• 完整性 部分地

AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-ID	漏洞类型
NVD-CWE-Other

Exp相关链接

• https://www.exploit-db.com/exploits/26584
• https://www.exploit-db.com/exploits/26585

- avd.aliyun.com