phpGroupWare index.php Addressbook XSS

medium Nessus Plugin ID 14292

Synopsis

A remote web application is vulnerable to multiple cross-site scripting attacks.

Description

The remote host seems to be running PhpGroupWare, a multi-user groupware suite written in PHP.

This version is reportedly prone to multiple HTML injection vulnerabilities. The issues present themselves due to a lack of sufficient input validation performed on form fields used by PHPGroupWare modules.

A malicious attacker may inject arbitrary HTML and script code using these form fields that may be incorporated into dynamically-generated web content.

Solution

Update to version 0.9.14.005 or newer.

See Also

https://www.phpgroupware.org/

Plugin Details

Severity: Medium

ID: 14292

File Name: phpgroupware_html_injection.nasl

Version: 1.25

Type: remote

Family: CGI abuses

Published: 8/17/2004

Updated: 6/4/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:phpgroupware:phpgroupware

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 7/2/2003

Reference Information

CVE: CVE-2003-0504

BID: 8088