CVE-2009-2733

Achievo <1.4.0 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Ryan Dewhurst · textwebappsphp

https://www.exploit-db.com/exploits/33281

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by Ryan Dewhurst · textwebappsphp

https://www.exploit-db.com/exploits/9863

View Code ZIP pw:eip

References (9)

[Vendor Advisory] http://secunia.com/advisories/37035

[Patch] http://www.achievo.org/download/releasenotes/1_4_0

[Various Sources] http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/

[Exploit] http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt

[Exploit] http://www.securityfocus.com/bid/36661

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/53744

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/53745

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/507133/100/0/threaded

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1023017

Scores

EPSS 0.0547

EPSS Percentile 90.1%

Classification

CWE

CWE-79

Status published

Affected Products (33)

achievo/achievo < 1.3.4

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

achievo/achievo

... and 18 more

Timeline

Published Oct 16, 2009

Tracked Since Feb 18, 2026