Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.
| Version | Base score | Base severity | Vector |
|---|
| Hyperlink | Resource Type |
|---|
Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.
| Type | CWE ID | Description |
|---|---|---|
| text | N/A | n/a |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/53745 | vdb-entry x_refsource_XF |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/53744 | vdb-entry x_refsource_XF |
| http://secunia.com/advisories/37035 | third-party-advisory x_refsource_SECUNIA |
| http://securitytracker.com/id?1023017 | vdb-entry x_refsource_SECTRACK |
| http://www.securityfocus.com/bid/36661 | vdb-entry x_refsource_BID |
| http://www.achievo.org/download/releasenotes/1_4_0 | x_refsource_CONFIRM |
| http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/ | x_refsource_MISC |
| http://www.securityfocus.com/archive/1/507133/100/0/threaded | mailing-list x_refsource_BUGTRAQ |
| http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt | x_refsource_MISC |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/53745 | vdb-entry x_refsource_XF x_transferred |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/53744 | vdb-entry x_refsource_XF x_transferred |
| http://secunia.com/advisories/37035 | third-party-advisory x_refsource_SECUNIA x_transferred |
| http://securitytracker.com/id?1023017 | vdb-entry x_refsource_SECTRACK x_transferred |
| http://www.securityfocus.com/bid/36661 | vdb-entry x_refsource_BID x_transferred |
| http://www.achievo.org/download/releasenotes/1_4_0 | x_refsource_CONFIRM x_transferred |
| http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/ | x_refsource_MISC x_transferred |
| http://www.securityfocus.com/archive/1/507133/100/0/threaded | mailing-list x_refsource_BUGTRAQ x_transferred |
| http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt | x_refsource_MISC x_transferred |
Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.
| Date Added | Due Date | Vulnerability Name | Required Action |
|---|---|---|---|
| N/A |
| Type | Version | Base score | Base severity | Vector |
|---|---|---|---|---|
| Primary | 2.0 | 4.3 | MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |