CVE-2009-2733

Exploit

EPSS 2.76%
Published 16.10.2009 16:30:00
Last modified 09.04.2025 00:30:58
Source cve@mitre.org
Teams watchlist Login
Open Login

Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.

Affected products Warnungen 0 Metrics 2 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Achievo ≫ Achievo Version <= 1.3.4

Achievo ≫ Achievo Version0.7.0

Achievo ≫ Achievo Version0.7.1

Achievo ≫ Achievo Version0.7.2

Achievo ≫ Achievo Version0.7.3

Achievo ≫ Achievo Version0.8.0

Achievo ≫ Achievo Version0.8.0_rc1

Achievo ≫ Achievo Version0.8.0_rc2

Achievo ≫ Achievo Version0.8.1

Achievo ≫ Achievo Version0.9.0

Achievo ≫ Achievo Version0.9.1

Achievo ≫ Achievo Version1.0.0

Achievo ≫ Achievo Version1.0.0 Updaterc1

Achievo ≫ Achievo Version1.0.0 Updaterc2

Achievo ≫ Achievo Version1.0.0 Updaterc3

Achievo ≫ Achievo Version1.0.1

Achievo ≫ Achievo Version1.0.2

Achievo ≫ Achievo Version1.0.3

Achievo ≫ Achievo Version1.0.4

Achievo ≫ Achievo Version1.1.0

Achievo ≫ Achievo Version1.1.0 Updaterc1

Achievo ≫ Achievo Version1.1.0 Updaterc2

Achievo ≫ Achievo Version1.1.0 Updaterc3

Achievo ≫ Achievo Version1.2.0

Achievo ≫ Achievo Version1.2.0 Updaterc1

Achievo ≫ Achievo Version1.2.1

Achievo ≫ Achievo Version1.3.0

Achievo ≫ Achievo Version1.3.0 Updaterc1

Achievo ≫ Achievo Version1.3.0 Updaterc2

Achievo ≫ Achievo Version1.3.1

Achievo ≫ Achievo Version1.3.2

Achievo ≫ Achievo Version1.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.76%	0.854

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://secunia.com/advisories/37035

Vendor Advisory

http://securitytracker.com/id?1023017

http://www.achievo.org/download/releasenotes/1_4_0

Patch

http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/

http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt

Exploit

http://www.securityfocus.com/archive/1/507133/100/0/threaded

http://www.securityfocus.com/bid/36661

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/53744

https://exchange.xforce.ibmcloud.com/vulnerabilities/53745

https://nvd.nist.gov/vuln/detail/CVE-2009-2733

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2009-2733

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2009-2733

EUVD