CVE-2008-3860 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities (1) in the WYSIWYG editors, (2) during local group creation, (3) during HTML redirects, (4) in the HTML import, (5) in the Rich text editor, and (6) in link-page in IBM Lotus Quickr 8.1 services for Lotus Domino before Hotfix 15 allow remote attackers to inject arbitrary web script or HTML via unknown vectors, including (7) the Imported Page. NOTE: the vulnerability in the WYSIWYG editors may exist because of an incomplete fix for CVE-2008-2163.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Aix I5os Lotus Quickr
Microsoft	Windows Nt

Configuration 1 [-]

AND

OR	cpe:2.3:o:ibm:aix::::::::
	cpe:2.3:o:ibm:i5os::::::::
	cpe:2.3:o:microsoft:windows_nt::::::::

cpe:2.3:a:ibm:lotus_quickr:8.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/49772
http://osvdb.org/49776
http://secunia.com/advisories/31634
http://www-01.ibm.com/support/docview.wss?uid=swg27013341
http://www.securitytracker.com/id?1020762
http://www.vupen.com/english/advisories/2008/2444
https://exchange.xforce.ibmcloud.com/vulnerabilities/44694

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-08-29T16:22:00

Updated: 2024-08-07T09:53:00.432Z

Reserved: 2008-08-29T00:00:00

Link: CVE-2008-3860

Vulnrichment

No data.

NVD

Status : Modified

Published: 2008-08-29T16:41:00.000

Modified: 2017-08-08T01:32:13.763

Link: CVE-2008-3860

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-08-26T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities (1) in the WYSIWYG editors, (2) during local group creation, (3) during HTML redirects, (4) in the HTML import, (5) in the Rich text editor, and (6) in link-page in IBM Lotus Quickr 8.1 services for Lotus Domino before Hotfix 15 allow remote attackers to inject arbitrary web script or HTML via unknown vectors, including (7) the Imported Page. NOTE: the vulnerability in the WYSIWYG editors may exist because of an incomplete fix for CVE-2008-2163."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "49776", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/49776"}, {"name": "1020762", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1020762"}, {"name": "ibm-lotus-quickr-multiple-xss(44694)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44694"}, {"name": "49772", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/49772"}, {"name": "ADV-2008-2444", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2444"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27013341"}, {"name": "31634", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31634"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-3860", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities (1) in the WYSIWYG editors, (2) during local group creation, (3) during HTML redirects, (4) in the HTML import, (5) in the Rich text editor, and (6) in link-page in IBM Lotus Quickr 8.1 services for Lotus Domino before Hotfix 15 allow remote attackers to inject arbitrary web script or HTML via unknown vectors, including (7) the Imported Page. NOTE: the vulnerability in the WYSIWYG editors may exist because of an incomplete fix for CVE-2008-2163."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "49776", "refsource": "OSVDB", "url": "http://osvdb.org/49776"}, {"name": "1020762", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1020762"}, {"name": "ibm-lotus-quickr-multiple-xss(44694)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44694"}, {"name": "49772", "refsource": "OSVDB", "url": "http://osvdb.org/49772"}, {"name": "ADV-2008-2444", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2444"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg27013341", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27013341"}, {"name": "31634", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31634"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T09:53:00.432Z"}, "title": "CVE Program Container", "references": [{"name": "49776", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/49776"}, {"name": "1020762", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1020762"}, {"name": "ibm-lotus-quickr-multiple-xss(44694)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44694"}, {"name": "49772", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/49772"}, {"name": "ADV-2008-2444", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2444"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27013341"}, {"name": "31634", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31634"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-3860", "datePublished": "2008-08-29T16:22:00", "dateReserved": "2008-08-29T00:00:00", "dateUpdated": "2024-08-07T09:53:00.432Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ibm:aix:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7F01A55-7C37-4BAF-A4D4-61E8AC54FF79", "vulnerable": false}, {"criteria": "cpe:2.3:o:ibm:i5os:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6EAAC0C-BDB1-4217-9551-684859F2D4E5", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_nt:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED27882B-A02A-4D5F-9117-A47976C676E0", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:lotus_quickr:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "83B3B388-0438-4806-9F21-2170428739DF", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities (1) in the WYSIWYG editors, (2) during local group creation, (3) during HTML redirects, (4) in the HTML import, (5) in the Rich text editor, and (6) in link-page in IBM Lotus Quickr 8.1 services for Lotus Domino before Hotfix 15 allow remote attackers to inject arbitrary web script or HTML via unknown vectors, including (7) the Imported Page. NOTE: the vulnerability in the WYSIWYG editors may exist because of an incomplete fix for CVE-2008-2163."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en (1)editores WYSIWYG (2)durante la creaci\u00f3n de un grupo local, (3) durante redireccionamientos HTML, (4) en el HTML-import, (5) en el editor Rich-text, y (6) en la p\u00e1gina de enlace del servicio IBM Lotus Quickr 8.1 para Lotus Domino anterior al parche (Hotfix) 15, permite a atacantes remotos inyectar web script o HTML de su elecci\u00f3n a trav\u00e9s de vectores no especificados, incluyendo (7) la Imported-Page. NOTA: La vulnerabilidad en el editor WYSIWYG puede ser debida a una correcci\u00f3n incompleta de para el CVE-2008-2163.\r\n"}], "id": "CVE-2008-3860", "lastModified": "2017-08-08T01:32:13.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-08-29T16:41:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/49772"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/49776"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/31634"}, {"source": "cve@mitre.org", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27013341"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1020762"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/2444"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44694"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}