CVE-2008-2011

Cross-site scripting (XSS) vulnerability in the National Rail Enquiries Live Departure Boards gadget before 1.1 allows remote National Rail Enquiries servers or man-in-the-middle attackers to inject arbitrary web script or HTML, and execute arbitrary code, via a response body, as demonstrated by a SCRIPT element that references a vbscript: URI.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
national_rail_enquiriesnational_rail_enquiries_live_departure_boards
𝑥
≤ 1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.mwrinfosecurity.com/news/1690.html
http://www.mwrinfosecurity.com/publications/mwri_national-rail-enquiries-gadget-advisory_2008-04-24.pdf
http://www.securityfocus.com/bid/28933
https://exchange.xforce.ibmcloud.com/vulnerabilities/42043
http://www.mwrinfosecurity.com/news/1690.html
http://www.mwrinfosecurity.com/publications/mwri_national-rail-enquiries-gadget-advisory_2008-04-24.pdf
http://www.securityfocus.com/bid/28933
https://exchange.xforce.ibmcloud.com/vulnerabilities/42043