CVE-2010-5284

Multiple cross-site scripting (XSS) vulnerabilities in Collabtive 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) User parameter in the edit user profile feature to manageuser.php, (2) y parameter in a newcal action to manageajax.php, and the (3) pic parameter to thumb.php.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.org/1010-exploits/collabtive-xssxsrf.txt
http://secunia.com/advisories/41805	Vendor Advisory
http://www.anatoliasecurity.com/adv/as-adv-2010-003.txt
http://www.exploit-db.com/exploits/15240
http://www.securityfocus.com/bid/44050	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:o-dyn:collabtive:0.6.5:*:*:*:*:*:*:*

History

No history.

Information

Published : 2012-11-26 23:55

Updated : 2024-02-28 12:00

NVD link : CVE-2010-5284

Mitre link : CVE-2010-5284

CVE.ORG link : CVE-2010-5284

JSON object : View

Products Affected

o-dyn

collabtive

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2010-5284", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2012-11-26T23:55:01.127", "references": [{"url": "http://packetstormsecurity.org/1010-exploits/collabtive-xssxsrf.txt", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/41805", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.anatoliasecurity.com/adv/as-adv-2010-003.txt", "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/15240", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/44050", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Collabtive 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) User parameter in the edit user profile feature to manageuser.php, (2) y parameter in a newcal action to manageajax.php, and the (3) pic parameter to thumb.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en Collabtive versi\u00f3n 0.6.5, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio del (1) par\u00e1metro User en la funcionalidad edit user profile en el archivo manageuser.php, (2) par\u00e1metro y en una acci\u00f3n newcal en el archivo manageajax.php, y (3) par\u00e1metro pic en el archivo thumb.php."}], "lastModified": "2013-08-13T16:58:10.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:o-dyn:collabtive:0.6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "580EFB49-6D33-4F64-B8EB-85532DED2B52"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}