Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-7092

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2008-7092
Last Modified 28 Aug 2009 12:00:00
Published 26 Aug 2009 10:24:17
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-7092

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Unica Affinium Campaign 7.2.1.0.55 allow remote attackers to inject arbitrary web script or HTML via a Javascript event in the (1) url, (2) PageName, and (3) title parameters in a CustomBookMarkLink action to Campaign/Campaign; (4) a Javascript event in the displayIcon parameter to Campaign/updateOfferTemplateSubmit.do (aka the templates web page); (5) crafted input to Campaign/CampaignListener (aka the listener server), which is not properly handled when displaying the status log; and (6) id parameter to Campaign/campaignDetails.do, (7) id parameter to Campaign/offerDetails.do, (8) function parameter to Campaign/Campaign, (9) sessionID parameter to Campaign/runAllFlowchart.do, (10) id parameter in an edit action to Campaign/updateOfferTemplatePage.do, (11) Frame parameter in a LoadFrame action to Campaign/Campaign, (12) affiniumUserName parameter to manager/jsp/test.jsp, (13) affiniumUserName parameter to Campaign/main.do, and possibly other vectors.

Vulnerable Systems

Application

  • Unica Affinium Campaign 7.2.1.0.55


References

XF - affiniumcampaign-multiple-xss(44074)

XF - affiniumcampaign-campaignlistener-xss(44073)

XF - affiniumcampaign-displayicon-xss(44072)

BID - 30433

MISC - http://www.portcullis.co.uk/290.php

MISC - http://www.portcullis.co.uk/289.php

MISC - http://www.portcullis.co.uk/288.php

MISC - http://www.portcullis.co.uk/286.php

OSVDB - 47530

OSVDB - 47528

OSVDB - 47526

OSVDB - 47525

OSVDB - 47524

OSVDB - 47523

OSVDB - 47522

OSVDB - 47521

OSVDB - 47520

SECUNIA - 31280


Last Updated: 27 May 2016 10:49:28