[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability
- From: ddivulnalert@xxxxxxxxxxxxxxxx
- Date: Mon, 9 Mar 2009 08:45:01 -0600
Title
-----
DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability
Severity
--------
Low
Date Discovered
---------------
January 19th, 2009
Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description
-------------------------
Alterations of the title and message parameters in vBook allow attacks to
specify arbitrary web or scripting content. This allows scripting tags to be
executed by the browser to perform XSS attacks. Such an attack would require
convincing a user to click on a specially crafted link.
Solution Description
--------------------
No patch is available at this time.
Tested Systems / Software (with versions)
------------------------------------------
Windows Server 2003, IIS vBook v 4.2.17
Vendor Contact
--------------
Vendor Name: Retrieve Technologies, Inc.
Vendor Website: http://www.retrieve.com/index.html