Detections
Analytics

phpScheduleIt 1.0.0 RC1 Multiple XSS

medium Nessus Plugin ID 14613

Language:

Synopsis

The remote web server contains a PHP application that is affected by multiple cross-site scripting vulnerabilities.

Description

According to its banner, the version of phpScheduleIt on the remote host is earlier than 1.0.0. Such versions are vulnerable to HTML injection issues. For example, an attacker may add malicious HTML and JavaScript code in a schedule page if he has the right to edit the 'Schedule Name' field. This field is not properly sanitized. The malicious code would be executed by a victim web browser displaying this schedule.

Solution

Upgrade to phpScheduleIt version 1.0.0 or later.

See Also

https://seclists.org/bugtraq/2004/Aug/420

https://seclists.org/bugtraq/2004/Sep/235

Plugin Details

Severity: Medium

ID: 14613

File Name: phpscheduleit_xss.nasl

Version: 1.26

Type: remote

Published: 9/1/2004

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:brickhost:phpscheduleit

Required KB Items: www/phpscheduleit

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 8/31/2004

Reference Information

CVE: CVE-2004-1651

BID: 11080

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990