Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-1070

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2009-1070
Last Modified 27 Mar 2009 12:00:00
Published 26 Mar 2009 01:51:52
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-1070

Summary

Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter.

Vulnerable Systems

Application

  • Expressionengine 1.6.4

  • Expressionengine 1.6.5

  • Expressionengine 1.6.6


References

XF - expressionengine-avatar-xss(49359)

BID - 34193

BUGTRAQ - 20090322 ExpressionEngine Persistent Cross-Site Scripting

MISC - http://www.ngenuity.org/wordpress/2009/01/28/ngenuity-2009-003-expressionengine-persistent-cross-site-scripting/

SECUNIA - 34379

CONFIRM - http://expressionengine.com/docs/changelog.html#v167


Last Updated: 27 May 2016 10:50:27