CVE-2008-1414

Cross-site scripting (XSS) vulnerability in Multiple Time Sheets (MTS) 5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the tab parameter to (1) index.php, as demonstrated using mixed case and encoded whitespace characters in the tag; or (2) clientinfo.php, (3) invoices.php, (4) smartlinks.php, and (5) todo.php, as demonstrated using a META tag.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/28263	Exploit
http://secunia.com/advisories/29416	Vendor Advisory
http://securityreason.com/securityalert/3756
http://www.vupen.com/english/advisories/2008/0911/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41227
https://www.exploit-db.com/exploits/5262
http://www.securityfocus.com/archive/1/489689/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:riceball:multiple_time_sheets:*:*:*:*:*:*:*:*

Information

Published : 2008-03-20 03:44

Updated : 2018-10-11 13:33

NVD link : CVE-2008-1414

Mitre link : CVE-2008-1414

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

riceball

multiple_time_sheets

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/28263", "name": "28263", "tags": ["Exploit"], "refsource": "BID"}, {"url": "http://secunia.com/advisories/29416", "name": "29416", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://securityreason.com/securityalert/3756", "name": "3756", "tags": [], "refsource": "SREASON"}, {"url": "http://www.vupen.com/english/advisories/2008/0911/references", "name": "ADV-2008-0911", "tags": [], "refsource": "VUPEN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41227", "name": "mts-index-xss(41227)", "tags": [], "refsource": "XF"}, {"url": "https://www.exploit-db.com/exploits/5262", "name": "5262", "tags": [], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securityfocus.com/archive/1/489689/100/0/threaded", "name": "20080317 Mutiple Timesheets <= 5.0 - Multiple Remote Vulnerabilities", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Multiple Time Sheets (MTS) 5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the tab parameter to (1) index.php, as demonstrated using mixed case and encoded whitespace characters in the tag; or (2) clientinfo.php, (3) invoices.php, (4) smartlinks.php, and (5) todo.php, as demonstrated using a META tag."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2008-1414", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2008-03-20T10:44Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:riceball:multiple_time_sheets:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-11T20:33Z"}