CVE-2007-5403

Multiple cross-site scripting (XSS) vulnerabilities in Layton HelpBox 3.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Forename, (2) Surname, (3) Telephone, and (4) Fax fields to writeenduserenduser.asp; the (5) Filter field to statsrequestypereport.asp; and the (6) sys_request_id parameter to requestattach.asp; and allow remote authenticated users to inject arbitrary web script or HTML via the (7) Asset, (8) Location, and (9) Problem fields to editrequestenduser.asp; the (10) Asset, (11) Asset Location, (12) Problem Desc, and (13) Solution Desc fields to editrequestuser.asp; and the (14) End User and (15) Description fields to usersearchrequests.asp. NOTE: vectors 5 and 6 do not require authentication to exploit.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/27699	Vendor Advisory
http://secunia.com/secunia_research/2007-94/advisory/	Vendor Advisory
http://www.securityfocus.com/bid/27187
https://exchange.xforce.ibmcloud.com/vulnerabilities/39537
https://exchange.xforce.ibmcloud.com/vulnerabilities/39540
https://exchange.xforce.ibmcloud.com/vulnerabilities/39541
https://exchange.xforce.ibmcloud.com/vulnerabilities/39542
https://exchange.xforce.ibmcloud.com/vulnerabilities/39543

Configurations

Configuration 1 (hide)

cpe:2.3:a:layton_technology:helpbox:3.7.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2008-01-09 21:46

Updated : 2023-12-10 10:40

NVD link : CVE-2007-5403

Mitre link : CVE-2007-5403

CVE.ORG link : CVE-2007-5403

JSON object : View

Products Affected

layton_technology

helpbox

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2007-5403", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2008-01-09T21:46:00.000", "references": [{"url": "http://secunia.com/advisories/27699", "tags": ["Vendor Advisory"], "source": "PSIRT-CNA@flexerasoftware.com"}, {"url": "http://secunia.com/secunia_research/2007-94/advisory/", "tags": ["Vendor Advisory"], "source": "PSIRT-CNA@flexerasoftware.com"}, {"url": "http://www.securityfocus.com/bid/27187", "source": "PSIRT-CNA@flexerasoftware.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39537", "source": "PSIRT-CNA@flexerasoftware.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39540", "source": "PSIRT-CNA@flexerasoftware.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39541", "source": "PSIRT-CNA@flexerasoftware.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39542", "source": "PSIRT-CNA@flexerasoftware.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39543", "source": "PSIRT-CNA@flexerasoftware.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Layton HelpBox 3.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Forename, (2) Surname, (3) Telephone, and (4) Fax fields to writeenduserenduser.asp; the (5) Filter field to statsrequestypereport.asp; and the (6) sys_request_id parameter to requestattach.asp; and allow remote authenticated users to inject arbitrary web script or HTML via the (7) Asset, (8) Location, and (9) Problem fields to editrequestenduser.asp; the (10) Asset, (11) Asset Location, (12) Problem Desc, and (13) Solution Desc fields to editrequestuser.asp; and the (14) End User and (15) Description fields to usersearchrequests.asp. NOTE: vectors 5 and 6 do not require authentication to exploit."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Layton HelpBox 3.7.1 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML a trav\u00e9s de los campos (1) Forename, (2) Surname, (3) Telephone, y (4) Fax de writeenduserenduser.asp; el campo (5) Filter de statsrequestypereport.asp; y el par\u00e1metro (6) sys_request_id de requestattach.asp;y permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de los campos (7) Asset, (8) Location, y (9) Problem de editrequestenduser.asp;los campos (10) Asset, (11) Asset Location, (12) Problem Desc, y (13) Solution Desc de editrequestuser.asp; y los campos (14) End User y (15) Description de usersearchrequests.asp. NOTA: los vectores 5 y 6 no requieren autenticaci\u00f3n para ser explotados."}], "lastModified": "2017-07-29T01:33:39.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:layton_technology:helpbox:3.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C49D31B3-8A03-40BF-91A9-708D62FCD0D8"}], "operator": "OR"}]}], "sourceIdentifier": "PSIRT-CNA@flexerasoftware.com"}