CVE & Exploit Intelligence Database

CVE-2008-3330 EPSS 0.00

Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inject arbitrary web script or HTML via the contact name.

CWE-79 Jul 27, 2008

CVE-2008-3316 EPSS 0.00

Cross-site scripting (XSS) vulnerability in the search feature in the Forum plugin before 2.7.1 for Geeklog allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably related to (1) public_html/index.php, (2) config.php, and (3) functions.inc.

CWE-79 Jul 25, 2008

CVE-2008-3305 1 PoC Analysis EPSS 0.09

Cross-site scripting (XSS) vulnerability in mensaje.php in C. Desseno YouTube Blog (ytb) 0.1 allows remote attackers to inject arbitrary web script or HTML via the m parameter.

CWE-79 Jul 25, 2008

CVE-2008-3326 1 PoC Analysis EPSS 0.01

Cross-site scripting (XSS) vulnerability in blog/edit.php in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to inject arbitrary web script or HTML via the etitle parameter (blog entry title).

CWE-79 Jul 25, 2008

CVE-2008-3315 4 PoCs Analysis EPSS 0.02

Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the (1) query string to (a) announcements/messages.php; (b) lostPassword.php and (c) profile.php in auth/; (d) calendar/myagenda.php; (e) group/group.php; (f) learningPath.php, (g) learningPathList.php, and (h) module.php in learnPath/; (i) phpbb/index.php; (j) courseLog.php, (k) course_access_details.php, (l) delete_course_stats.php, (m) userLog.php, and (n) user_access_details.php in tracking/; (o) user/user.php; and (p) user/userInfo.php; the (2) view parameter to (q) tracking/courseLog.php; and the (3) toolId parameter to (r) tracking/toolaccess_details.php. NOTE: this may overlap CVE-2006-3257 and CVE-2005-1374.

CWE-79 Jul 25, 2008

CVE-2008-3295 1 PoC Analysis EPSS 0.01

Cross-site scripting (XSS) vulnerability in modules/system/admin.php in XOOPS 2.0.18.1 allows remote attackers to inject arbitrary web script or HTML via the fct parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CWE-79 Jul 25, 2008

CVE-2008-3301 1 PoC Analysis EPSS 0.01

Multiple cross-site scripting (XSS) vulnerabilities in BilboBlog 0.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) content parameter to admin/update.php, related to conflicting code in widget.php; and allow remote attackers to inject arbitrary web script or HTML via the (2) titleId parameter to head.php, reachable through index.php; the (3) t_lang[lang_copyright] parameter to footer.php; the (4) content parameter to the default URI under admin/; the (5) url, (6) t_lang[lang_admin_help], (7) t_lang[lang_admin_clear_cache], (8) t_lang[lang_admin_home], and (9) t_lang[lang_admin_logout] parameters to admin/homelink.php; and the (10) t_lang[lang_admin_new_post] parameter to admin/post.php. NOTE: some of these details are obtained from third party information.

CWE-79 Jul 25, 2008

CVE-2008-3260 12 PoCs Analysis EPSS 0.03

Multiple cross-site scripting (XSS) vulnerabilities in Claroline before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via (1) the cwd parameter in a rqMkHtml action to document/rqmkhtml.php, or the query string to (2) announcements/announcements.php, (3) calendar/agenda.php, (4) course/index.php, (5) course_description/index.php, (6) document/document.php, (7) exercise/exercise.php, (8) group/group_space.php, (9) phpbb/newtopic.php, (10) phpbb/reply.php, (11) phpbb/viewtopic.php, (12) wiki/wiki.php, or (13) work/work.php in claroline/.

CWE-79 Jul 22, 2008

CVE-2008-3253 EPSS 0.01

Cross-site scripting (XSS) vulnerability in the XenAPI HTTP interfaces in Citrix XenServer Express, Standard, and Enterprise Edition 4.1.0; Citrix XenServer Dell Edition (Express and Enterprise) 4.1.0; and HP integrated Citrix XenServer (Select and Enterprise) 4.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CWE-79 Jul 22, 2008

CVE-2008-3255 EPSS 0.01

Cross-site scripting (XSS) vulnerability in LunarNight Laboratory WebProxy 1.7.8 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CWE-79 Jul 22, 2008

CVE-2008-3237 1 PoC Analysis EPSS 0.07

Cross-site scripting (XSS) vulnerability in forward_to_friend.php in ITechBids 7.0 Gold allows remote attackers to inject arbitrary web script or HTML via the productid parameter.

CWE-79 Jul 21, 2008

CVE-2008-3233 1 PoC Analysis EPSS 0.00

Cross-site scripting (XSS) vulnerability in WordPress before 2.6, SVN development versions only, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CWE-79 Jul 18, 2008

CVE-2008-3219 EPSS 0.01

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

CWE-79 Jul 18, 2008

CVE-2008-3218 EPSS 0.01

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

CWE-79 Jul 18, 2008

CVE-2008-3202 1 PoC Analysis EPSS 0.00

Cross-site scripting (XSS) vulnerability in index.php in Xomol CMS 1.2 allows remote attackers to inject arbitrary web script or HTML via the current_url parameter in a tellafriend action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CWE-79 Jul 17, 2008

CVE-2008-3201 1 PoC Analysis EPSS 0.00

Multiple cross-site scripting (XSS) vulnerabilities in index.php in Pagefusion 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) acct_fname and (2) acct_lname parameters in an edit action, and the (3) PID, (4) PGID, and (5) rez parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CWE-79 Jul 17, 2008

CVE-2008-3186 5 PoCs Analysis EPSS 0.00

Multiple cross-site scripting (XSS) vulnerabilities in Chipmunk Blog (Blogger) allow remote attackers to inject arbitrary web script or HTML via the membername parameter to (1) members.php, (2) comments.php, (3) photos.php, (4) archive.php, or (5) cat.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CWE-79 Jul 15, 2008

CVE-2008-3184 1 PoC Analysis EPSS 0.03

Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.

CWE-79 Jul 15, 2008

CVE-2008-3180 1 PoC Analysis EPSS 0.04

Multiple cross-site scripting (XSS) vulnerabilities in upload/file/language_menu.php in ContentNow CMS 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) pageid parameter or (2) PATH_INFO.

CWE-79 Jul 15, 2008

CVE-2008-3161 1 PoC Analysis EPSS 0.02

Multiple cross-site scripting (XSS) vulnerabilities in jsp/common/system/debug.jsp in IBM Maximo 4.1 and 5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Accept, (2) Accept-Language, (3) UA-CPU, (4) Accept-Encoding, (5) User-Agent, or (6) Cookie HTTP header. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CWE-79 Jul 14, 2008