Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2733

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2009-2733
Last Modified 16 Oct 2009 12:00:00
Published 16 Oct 2009 12:30:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-2733

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.

Vulnerable Systems

Application

  • Achievo 0.7.0

  • Achievo 0.7.1

  • Achievo 0.7.2

  • Achievo 0.7.3

  • Achievo 0.8.0

  • Achievo 0.8.0 Rc1

  • Achievo 0.8.0 Rc2

  • Achievo 0.8.1

  • Achievo 0.9.0

  • Achievo 0.9.1

  • Achievo 1.0.0

  • Achievo 1.0.1

  • Achievo 1.0.2

  • Achievo 1.0.3

  • Achievo 1.0.4

  • Achievo 1.1.0

  • Achievo 1.2.0

  • Achievo 1.2.1

  • Achievo 1.3.0

  • Achievo 1.3.1

  • Achievo 1.3.2

  • Achievo 1.3.3

  • Achievo 1.3.4


References

CONFIRM - http://www.achievo.org/download/releasenotes/1_4_0

XF - achievo-dispatchphp-xss(53745)

XF - achievo-title-xss(53744)

BID - 36661

BUGTRAQ - 20091013 [BONSAI] XSS in Achievo - Customized XSS payload included

MISC - http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt

MISC - http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/

SECTRACK - 1023017

SECUNIA - 37035


Last Updated: 27 May 2016 10:51:00