CVE-2010-2123

01.06.2010, 21:30

Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) address, (3) city, (4) provstate (aka state), (5) phone, or (6) taxid parameter in a stormorganization action to index.php; the (7) name parameter in a stormperson action to index.php; the (8) stepno (aka Step no.) or (9) title parameter in a stormtask action to index.php; the (10) title (aka Project) parameter in a stormticket action to index.php; or (11) unspecified parameters in a stormproject action to index.php.  NOTE: some of these details are obtained from third party information.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	2.1 UNKNOWN	NETWORK	HIGH	AV:N/AC:H/Au:S/C:N/I:P/A:N
mitre	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Vendor	Product	Version
speedtech	storm	5.x-1.1:x
speedtech	storm	5.x-1.2:x
speedtech	storm	5.x-1.3:x
speedtech	storm	5.x-1.4:x
speedtech	storm	5.x-1.5:x
speedtech	storm	5.x-1.6:x
speedtech	storm	5.x-1.7:x
speedtech	storm	5.x-1.8:x
speedtech	storm	5.x-1.9:x
speedtech	storm	5.x-1.10:x
speedtech	storm	5.x-1.11:x
speedtech	storm	5.x-1.12:x
speedtech	storm	5.x-1.13:x
speedtech	storm	5.x-1.14:x
speedtech	storm	5.x-1.x:x
speedtech	storm	6.x-1.0:x
speedtech	storm	6.x-1.1:x
speedtech	storm	6.x-1.2:x
speedtech	storm	6.x-1.3:x
speedtech	storm	6.x-1.4:x
speedtech	storm	6.x-1.5:x
speedtech	storm	6.x-1.6:x
speedtech	storm	6.x-1.7:x
speedtech	storm	6.x-1.8:x
speedtech	storm	6.x-1.9:x
speedtech	storm	6.x-1.10:x
speedtech	storm	6.x-1.11:x
speedtech	storm	6.x-1.12:x
speedtech	storm	6.x-1.13:x
speedtech	storm	6.x-1.14:x
speedtech	storm	6.x-1.15:x
speedtech	storm	6.x-1.16:x
speedtech	storm	6.x-1.17:x
speedtech	storm	6.x-1.18:x
speedtech	storm	6.x-1.19:x
speedtech	storm	6.x-1.20:x
speedtech	storm	6.x-1.21:x
speedtech	storm	6.x-1.22:x
speedtech	storm	6.x-1.23:x
speedtech	storm	6.x-1.24:x
speedtech	storm	6.x-1.25:x
speedtech	storm	6.x-1.26:x
speedtech	storm	6.x-1.27:x
speedtech	storm	6.x-1.28:x
speedtech	storm	6.x-1.29:x
speedtech	storm	6.x-1.30:x
speedtech	storm	6.x-1.31:x
speedtech	storm	6.x-1.32:x
speedtech	storm	6.x-1.x:x

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0160.html

http://drupal.org/node/803770

http://secunia.com/advisories/39732

http://www.osvdb.org/64616

http://www.securityfocus.com/bid/40288

https://exchange.xforce.ibmcloud.com/vulnerabilities/58717

http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0160.html

http://drupal.org/node/803770

http://secunia.com/advisories/39732

http://www.osvdb.org/64616

http://www.securityfocus.com/bid/40288

https://exchange.xforce.ibmcloud.com/vulnerabilities/58717