phpScheduleIt < 1.0.0 New User Registration HTML Injection

low Nessus Network Monitor Plugin ID 2191

Synopsis

The remote host is vulnerable to an HTML injection attack.

Description

The remote host is running phpScheduleIt. According to its banner, this version is reported vulnerable to an HTML injection issue. An attacker may add malicious HTML and Javascript code in a schedule page if they have the right to edit the 'Schedule Name' field. This field is not properly sanitized. The malicious code would be executed by a victim's web browser displaying this schedule.

Solution

Upgrade to phpScheduleIt 1.0.0 or higher.

Plugin Details

Severity: Low

ID: 2191

Family: CGI

Published: 9/1/2004

Updated: 3/6/2019

Nessus ID: 14613

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:brickhost:phpscheduleit

Reference Information

CVE: CVE-2004-1651

BID: 11080