CVE-2010-0971

Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:H/Au:S/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://osvdb.org/62904
http://osvdb.org/62906
http://www.exploit-db.com/exploits/11685	Exploit
http://secunia.com/advisories/38906	Vendor Advisory
http://osvdb.org/62905
http://www.securityfocus.com/bid/38656
http://packetstormsecurity.org/1003-exploits/atutor-xss.txt	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/56852

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:atutor:atutor:1.6.4:*:*:*:*:*:*:*

Information

Published : 2010-03-16 12:00

Updated : 2017-08-16 18:32

NVD link : CVE-2010-0971

Mitre link : CVE-2010-0971

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

atutor

atutor

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://osvdb.org/62904", "name": "62904", "tags": [], "refsource": "OSVDB"}, {"url": "http://osvdb.org/62906", "name": "62906", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.exploit-db.com/exploits/11685", "name": "11685", "tags": ["Exploit"], "refsource": "EXPLOIT-DB"}, {"url": "http://secunia.com/advisories/38906", "name": "38906", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://osvdb.org/62905", "name": "62905", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.securityfocus.com/bid/38656", "name": "38656", "tags": [], "refsource": "BID"}, {"url": "http://packetstormsecurity.org/1003-exploits/atutor-xss.txt", "name": "http://packetstormsecurity.org/1003-exploits/atutor-xss.txt", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56852", "name": "atutor-add-xss(56852)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2010-0971", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2010-03-16T19:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:atutor:atutor:1.6.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-17T01:32Z"}