CVE-2012-1004

08.02.2012, 04:11

Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephone, (12) VoIP, (13) InstantMessagingIM, (14) Email, (15) HomePage, or (16) Comment parameter.  NOTE: some of these details are obtained from third party information.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	2.1 UNKNOWN	NETWORK	HIGH		AV:N/AC:H/Au:S/C:N/I:P/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Vendor	Product	Version
foswiki	foswiki	1.1.0
foswiki	foswiki	1.1.1
foswiki	foswiki	1.1.2
foswiki	foswiki	1.1.3
foswiki	foswiki	1.1.4
foswiki	foswiki	1.1.4:beta
foswiki	foswiki	1.1.4:rc

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://foswiki.org/Support/SecurityAlert-CVE-2012-1004

http://foswiki.org/Tasks/Item11498

http://foswiki.org/Tasks/Item11501

http://secunia.com/advisories/47849

http://st2tea.blogspot.com/2012/02/foswiki-cross-site-scripting.html

http://foswiki.org/Support/SecurityAlert-CVE-2012-1004

http://foswiki.org/Tasks/Item11498

http://foswiki.org/Tasks/Item11501

http://secunia.com/advisories/47849

http://st2tea.blogspot.com/2012/02/foswiki-cross-site-scripting.html