CVE-2005-4493 - Vulnerability Details - OpenCVE

Cross-site scripting (XSS) vulnerability in SpearTek 6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0124.

Key SSVC decision points have not yet been added.

Vendors	Products
Speartek	Speartek

Configuration 1 [-]

cpe:2.3:a:speartek:speartek:6.0:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://pridels0.blogspot.com/2005/12/speartek-xss-vuln.html
http://www.attrition.org/pipermail/vim/2006-August/001008.html
http://www.osvdb.org/22068
http://www.securityfocus.com/bid/16018
http://www.vupen.com/english/advisories/2005/3052

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2005-12-22T11:00:00

Updated: 2024-08-07T23:46:05.163Z

Reserved: 2005-12-22T00:00:00

Link: CVE-2005-4493

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2005-12-22T11:03:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2005-4493

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2005-12-21T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in SpearTek 6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2006-04-04T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20060830 22068: Speartek Search Module XSS (fwd)", "tags": ["mailing-list", "x_refsource_VIM"], "url": "http://www.attrition.org/pipermail/vim/2006-August/001008.html"}, {"name": "16018", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/16018"}, {"name": "22068", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/22068"}, {"name": "ADV-2005-3052", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2005/3052"}, {"tags": ["x_refsource_MISC"], "url": "http://pridels0.blogspot.com/2005/12/speartek-xss-vuln.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2005-4493", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in SpearTek 6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20060830 22068: Speartek Search Module XSS (fwd)", "refsource": "VIM", "url": "http://www.attrition.org/pipermail/vim/2006-August/001008.html"}, {"name": "16018", "refsource": "BID", "url": "http://www.securityfocus.com/bid/16018"}, {"name": "22068", "refsource": "OSVDB", "url": "http://www.osvdb.org/22068"}, {"name": "ADV-2005-3052", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2005/3052"}, {"name": "http://pridels0.blogspot.com/2005/12/speartek-xss-vuln.html", "refsource": "MISC", "url": "http://pridels0.blogspot.com/2005/12/speartek-xss-vuln.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T23:46:05.163Z"}, "title": "CVE Program Container", "references": [{"name": "20060830 22068: Speartek Search Module XSS (fwd)", "tags": ["mailing-list", "x_refsource_VIM", "x_transferred"], "url": "http://www.attrition.org/pipermail/vim/2006-August/001008.html"}, {"name": "16018", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/16018"}, {"name": "22068", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/22068"}, {"name": "ADV-2005-3052", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2005/3052"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://pridels0.blogspot.com/2005/12/speartek-xss-vuln.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2005-4493", "datePublished": "2005-12-22T11:00:00", "dateReserved": "2005-12-22T00:00:00", "dateUpdated": "2024-08-07T23:46:05.163Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:speartek:speartek:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B36FFFB-FE80-4286-BA79-0B1195321F67", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in SpearTek 6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters."}], "id": "CVE-2005-4493", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2005-12-22T11:03:00.000", "references": [{"source": "cve@mitre.org", "url": "http://pridels0.blogspot.com/2005/12/speartek-xss-vuln.html"}, {"source": "cve@mitre.org", "url": "http://www.attrition.org/pipermail/vim/2006-August/001008.html"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/22068"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/16018"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2005/3052"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://pridels0.blogspot.com/2005/12/speartek-xss-vuln.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.attrition.org/pipermail/vim/2006-August/001008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/22068"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/16018"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2005/3052"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "We are aware of numerous existing script vulnerabilities and exploits and stand by the security of our system and our ability to address these. This particular exploit is not particularly serious as no sensitive or private user information is ever held within cookies during our checkout process. All user information and client information is secure in our platform. We take all security threats quite seriously and view the efforts of the author of this particular exploit as harmful to our professional image. This is especially important to note because the particular script vulnerability that has been raised poses no real threat to the stability or security of our systems. Again, we are formally responding to this posted cross-site script vulnerability to communicate that we take all such potential security issues very seriously and this particular issue has been addressed.\n\nIn version 7.0.0 of our software, we have addressed the mentioned cross site scripting vulnerabilities. On any page that a form is on, the query string is sanitized to eliminate the vectors outlined in the XSS vulnerability. Form data is handled to protect against a form post from a different site to try and initialize a cross site scripting attacking via a form post. Sensitive data is not stored in session cookies and in the event that a cookie was stolen, it would contain nothing useful for the attacker. Our software is a hosted application, which allows us to make quick remedies as new exploits are found. Also, our system is monitored consistently and alerts are sent to our administrators when any malicious attempt is seen. The details of this alert include the data sent, from what referral and if there is a specific user that is being targeted on our system.", "lastModified": "2006-11-07T00:00:00", "organization": "Speartek"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}