CVE-2005-1049 - Multiple cross-site scripting vulnerabilities in PostNuke 0.760-RC3 allow remote attackers to inject

CVE-2005-1049

Summary

Multiple cross-site scripting vulnerabilities in PostNuke 0.760-RC3 allow remote attackers to inject arbitrary web script or HTML via the (1) module parameter to admin.php or (2) op parameter to user.php. NOTE: the vendor reports that certain issues could not be reproduced for 760 RC3, or for .750. However, the op/user.php issue exists when the pnAntiCracker setting is disabled.

References

Vulnerable Configurations

cpe:2.3:a:postnuke_software_foundation:postnuke:0.760_rc3:*:*:*:*:*:*:*
cpe:2.3:a:postnuke_software_foundation:postnuke:0.760_rc3:*:*:*:*:*:*:*

CVSS

Base:	2.6 (as of 11-07-2017 - 01:32)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:H/Au:N/C:N/I:P/A:N

refmap via4

bid	13075 13076
bugtraq	20050408 Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3
misc	http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/user.php.diff?r1=1.18&r2=1.19 http://digitalparadox.org/advisories/postnuke.txt http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2679
osvdb	15370
sectrack	1013670
secunia	14868
xf	postnuke-adminphp-userphp-xss(20018)

Last major update

11-07-2017 - 01:32

Published

02-05-2005 - 04:00

Last modified

11-07-2017 - 01:32