2.6
CVE-2009-2006
- EPSS 1.29%
- Veröffentlicht 08.06.2009 19:30:00
- Zuletzt bearbeitet 16.06.2026 23:08:33
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginMultiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) search_term parameter to main/auth/courses.php; the (2) frm_title and (3) frm_content parameters in a new personal agenda item action; the (4) title and (5) tutor_name parameters in a new course action; and the (6) student and (7) course parameters to main/mySpace/myStudents.php. NOTE: vectors 2 and 3 might only be exploitable via a separate CSRF vulnerability.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.29% | 0.664 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 2.6 | 4.9 | 2.9 |
AV:N/AC:H/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
http://holisticinfosec.org/content/view/112/45/
http://secunia.com/advisories/34879
http://www.dokeos.com/wiki/index.php/Security#Dokeos_1.8
http://www.securityfocus.com/bid/34928
http://www.vupen.com/english/advisories/2009/1300
https://exchange.xforce.ibmcloud.com/vulnerabilities/50498
https://exchange.xforce.ibmcloud.com/vulnerabilities/50500
https://exchange.xforce.ibmcloud.com/vulnerabilities/50502