CVE-2004-2411 - OpenCVE

The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4.0 through 5.0 does not sufficiently cleanse inputs, which allows remote attackers to conduct cross-site scripting (XSS) attacks that do not use <script> tags, as demonstrated via javascript in IMG tags to (1) the cat parameter in shopdisplayproducts.asp or (2) the msg parameter in shoperror.asp, and possibly other vectors.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Virtual Programming	Vp-asp

Configuration 1 [-]

OR	cpe:2.3:a:virtual_programming:vp-asp:4.0:::::::*
	cpe:2.3:a:virtual_programming:vp-asp:4.50:::::::*
	cpe:2.3:a:virtual_programming:vp-asp:5.0:::::::*

No data.

References

Link	Providers
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0363.html
http://secunia.com/advisories/11846
http://www.osvdb.org/6949
http://www.providesecurity.com/research/advisories/06142004-01.asp
http://www.securityfocus.com/bid/10530
http://www.securityfocus.com/bid/10534
http://www.vpasp.com/virtprog/info/faq_securityfixes.htm
https://exchange.xforce.ibmcloud.com/vulnerabilities/16411

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2005-08-18T04:00:00

Updated: 2024-08-08T01:29:13.420Z

Reserved: 2005-08-18T00:00:00

Link: CVE-2004-2411

Vulnrichment

No data.

NVD

Status : Modified

Published: 2004-12-31T05:00:00.000

Modified: 2017-07-11T01:31:52.280

Link: CVE-2004-2411

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2004-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4.0 through 5.0 does not sufficiently cleanse inputs, which allows remote attackers to conduct cross-site scripting (XSS) attacks that do not use <script> tags, as demonstrated via javascript in IMG tags to (1) the cat parameter in shopdisplayproducts.asp or (2) the msg parameter in shoperror.asp, and possibly other vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-10T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "11846", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/11846"}, {"tags": ["x_refsource_MISC"], "url": "http://www.providesecurity.com/research/advisories/06142004-01.asp"}, {"name": "6949", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/6949"}, {"name": "10530", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/10530"}, {"name": "10534", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/10534"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.vpasp.com/virtprog/info/faq_securityfixes.htm"}, {"name": "vpasp-shoperror-xss(16411)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16411"}, {"name": "20040613 VP-ASP Shopping Cart Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0363.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2004-2411", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4.0 through 5.0 does not sufficiently cleanse inputs, which allows remote attackers to conduct cross-site scripting (XSS) attacks that do not use <script> tags, as demonstrated via javascript in IMG tags to (1) the cat parameter in shopdisplayproducts.asp or (2) the msg parameter in shoperror.asp, and possibly other vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "11846", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/11846"}, {"name": "http://www.providesecurity.com/research/advisories/06142004-01.asp", "refsource": "MISC", "url": "http://www.providesecurity.com/research/advisories/06142004-01.asp"}, {"name": "6949", "refsource": "OSVDB", "url": "http://www.osvdb.org/6949"}, {"name": "10530", "refsource": "BID", "url": "http://www.securityfocus.com/bid/10530"}, {"name": "10534", "refsource": "BID", "url": "http://www.securityfocus.com/bid/10534"}, {"name": "http://www.vpasp.com/virtprog/info/faq_securityfixes.htm", "refsource": "CONFIRM", "url": "http://www.vpasp.com/virtprog/info/faq_securityfixes.htm"}, {"name": "vpasp-shoperror-xss(16411)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16411"}, {"name": "20040613 VP-ASP Shopping Cart Multiple Vulnerabilities", "refsource": "FULLDISC", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0363.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T01:29:13.420Z"}, "title": "CVE Program Container", "references": [{"name": "11846", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/11846"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.providesecurity.com/research/advisories/06142004-01.asp"}, {"name": "6949", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/6949"}, {"name": "10530", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/10530"}, {"name": "10534", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/10534"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.vpasp.com/virtprog/info/faq_securityfixes.htm"}, {"name": "vpasp-shoperror-xss(16411)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16411"}, {"name": "20040613 VP-ASP Shopping Cart Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0363.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2004-2411", "datePublished": "2005-08-18T04:00:00", "dateReserved": "2005-08-18T00:00:00", "dateUpdated": "2024-08-08T01:29:13.420Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:virtual_programming:vp-asp:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "ABED79BC-78D4-4FD7-98F6-7927517B90E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:virtual_programming:vp-asp:4.50:*:*:*:*:*:*:*", "matchCriteriaId": "E6ABD9A1-F2B0-4925-996E-97D708EF9D37", "vulnerable": true}, {"criteria": "cpe:2.3:a:virtual_programming:vp-asp:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "AD70583E-49D6-4C31-B8B6-FA9ED0F65DFF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4.0 through 5.0 does not sufficiently cleanse inputs, which allows remote attackers to conduct cross-site scripting (XSS) attacks that do not use <script> tags, as demonstrated via javascript in IMG tags to (1) the cat parameter in shopdisplayproducts.asp or (2) the msg parameter in shoperror.asp, and possibly other vectors."}], "id": "CVE-2004-2411", "lastModified": "2017-07-11T01:31:52.280", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2004-12-31T05:00:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0363.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/11846"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/6949"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "http://www.providesecurity.com/research/advisories/06142004-01.asp"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/10530"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "http://www.securityfocus.com/bid/10534"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.vpasp.com/virtprog/info/faq_securityfixes.htm"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16411"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}