ID CVE-2005-2430
Summary Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) forum_id or (2) group_id parameter to forum.php, (3) project_task_id parameter to task.php, (4) id parameter to detail.php, (5) the text field on the search page, (6) group_id parameter to qrs.php, (7) form, (8) rows, (9) cols or (10) wrap parameter to notepad.php, or the login field on the login form.
References
Vulnerable Configurations
  • cpe:2.3:a:gforge:gforge:4.5
    cpe:2.3:a:gforge:gforge:4.5
CVSS
Base: 4.3 (as of 04-08-2005 - 07:53)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_D7CD501508C911DABC080001020EED82.NASL
    description Jose Antonio Coret reports that GForge contains multiple Cross Site Scripting vulnerabilities and an e-mail flood vulnerability : The login form is also vulnerable to XSS (Cross Site Scripting) attacks. This may be used to launch phising attacks by sending HTML e-mails (i.e.: saying that you need to upgrade to the latest GForge version due to a security problem) and putting in the e-mail an HTML link that points to an specially crafted url that inserts an html form in the GForge login page and when the user press the login button, he/she send the credentials to the attackers website. The 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address. E-Mail Flood, E-Mail bomber.
    last seen 2019-02-21
    modified 2013-06-22
    plugin id 56498
    published 2011-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56498
    title FreeBSD : gforge -- XSS and email flood vulnerabilities (d7cd5015-08c9-11da-bc08-0001020eed82)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1094.NASL
    description Joxean Koret discovered several cross-site scripting vulnerabilities in Gforge, an online collaboration suite for software development, which allow injection of web script code.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22636
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22636
    title Debian DSA-1094-1 : gforge - missing input sanitising
  • NASL family CGI abuses : XSS
    NASL id GFORGE_45.NASL
    description The remote host is running GForge, an open source software development collaborative toolset using PHP and PostgreSQL. The installed version of GForge on the remote host fails to properly sanitize user-supplied input to several parameters / scripts before using it in dynamically-generated pages. An attacker can exploit these flaws to launch cross-site scripting attacks against the affected application.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 19314
    published 2005-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19314
    title GForge <= 4.5 Multiple Script XSS
refmap via4
bid 14405
bugtraq 20050727 Cross Site Scripting vulnerabilities in GForge
debian DSA-1094
osvdb
  • 18299
  • 18300
  • 18301
  • 18302
  • 18303
  • 18304
secunia
  • 16253
  • 20622
xf gforge-multiple-xss(21558)
Last major update 17-10-2016 - 23:27
Published 03-08-2005 - 00:00
Last modified 10-07-2017 - 21:32
Back to Top