CVE-2008-5228

Cross-site scripting (XSS) vulnerability in IBM Workplace Content Management (WCM) 6.0G and 6.1 before CF8, when a Page Navigation Component shows menu entries, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters in the URI, related to parameters "not being encoded."

CVSS v2.0 2.6 LOW

2.6^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/32763	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1PK73108	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1PK73933	Patch
http://www.securityfocus.com/bid/32408
http://www.vupen.com/english/advisories/2008/3234
https://exchange.xforce.ibmcloud.com/vulnerabilities/46749

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:workplace_content_management:6.0:::::::*
	cpe:2.3:a:ibm:workplace_content_management:6.1:::::::*

History

No history.

Information

Published : 2008-11-25 23:30

Updated : 2024-02-28 11:21

NVD link : CVE-2008-5228

Mitre link : CVE-2008-5228

CVE.ORG link : CVE-2008-5228

JSON object : View

Products Affected

ibm

workplace_content_management

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2008-5228", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2008-11-25T23:30:00.563", "references": [{"url": "http://secunia.com/advisories/32763", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1PK73108", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1PK73933", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/32408", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2008/3234", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46749", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in IBM Workplace Content Management (WCM) 6.0G and 6.1 before CF8, when a Page Navigation Component shows menu entries, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters in the URI, related to parameters \"not being encoded.\""}, {"lang": "es", "value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en IBM Workplace Content Management (WCM) 6.0G y 6.1 anterior a CF8, cuando el componente Page Navigation muestra las entradas de men\u00fa, permite a atacantes remotos inyectar secuencias de comandos Web o HTML a trav\u00e9s de par\u00e1metros no especificados en la URI. Relacionado con los par\u00e1metros \"sin codificar\"."}], "lastModified": "2017-08-08T01:33:11.797", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:workplace_content_management:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74703172-E558-4225-9756-97987769F8CA"}, {"criteria": "cpe:2.3:a:ibm:workplace_content_management:6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40B93751-DE62-4487-B538-AA129529BFFA"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}