CVE-2009-3789 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opendocman	Opendocman

Configuration 1 [-]

cpe:2.3:a:opendocman:opendocman:1.2.5:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/59302
http://osvdb.org/59303
http://osvdb.org/59304
http://osvdb.org/59305
http://osvdb.org/59306
http://osvdb.org/59307
http://osvdb.org/59308
http://osvdb.org/59309
http://osvdb.org/59310
http://osvdb.org/59311
http://osvdb.org/59312
http://secunia.com/advisories/30750
http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt
http://www.securityfocus.com/bid/36777
https://exchange.xforce.ibmcloud.com/vulnerabilities/53887

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-10-26T17:00:00

Updated: 2024-08-07T06:38:30.399Z

Reserved: 2009-10-26T00:00:00

Link: CVE-2009-3789

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-10-26T17:30:00.610

Modified: 2017-08-17T01:31:16.693

Link: CVE-2009-3789

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-10-21T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "59302", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59302"}, {"name": "59307", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59307"}, {"name": "36777", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36777"}, {"name": "59309", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59309"}, {"name": "59304", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59304"}, {"name": "59311", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59311"}, {"name": "59310", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59310"}, {"name": "59308", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59308"}, {"name": "30750", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30750"}, {"tags": ["x_refsource_MISC"], "url": "http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt"}, {"name": "59303", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59303"}, {"name": "59305", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59305"}, {"name": "opendocman-multiple-xss(53887)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53887"}, {"name": "59306", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59306"}, {"name": "59312", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59312"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-3789", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "59302", "refsource": "OSVDB", "url": "http://osvdb.org/59302"}, {"name": "59307", "refsource": "OSVDB", "url": "http://osvdb.org/59307"}, {"name": "36777", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36777"}, {"name": "59309", "refsource": "OSVDB", "url": "http://osvdb.org/59309"}, {"name": "59304", "refsource": "OSVDB", "url": "http://osvdb.org/59304"}, {"name": "59311", "refsource": "OSVDB", "url": "http://osvdb.org/59311"}, {"name": "59310", "refsource": "OSVDB", "url": "http://osvdb.org/59310"}, {"name": "59308", "refsource": "OSVDB", "url": "http://osvdb.org/59308"}, {"name": "30750", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30750"}, {"name": "http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt", "refsource": "MISC", "url": "http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt"}, {"name": "59303", "refsource": "OSVDB", "url": "http://osvdb.org/59303"}, {"name": "59305", "refsource": "OSVDB", "url": "http://osvdb.org/59305"}, {"name": "opendocman-multiple-xss(53887)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53887"}, {"name": "59306", "refsource": "OSVDB", "url": "http://osvdb.org/59306"}, {"name": "59312", "refsource": "OSVDB", "url": "http://osvdb.org/59312"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:38:30.399Z"}, "title": "CVE Program Container", "references": [{"name": "59302", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59302"}, {"name": "59307", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59307"}, {"name": "36777", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/36777"}, {"name": "59309", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59309"}, {"name": "59304", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59304"}, {"name": "59311", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59311"}, {"name": "59310", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59310"}, {"name": "59308", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59308"}, {"name": "30750", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30750"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt"}, {"name": "59303", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59303"}, {"name": "59305", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59305"}, {"name": "opendocman-multiple-xss(53887)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53887"}, {"name": "59306", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59306"}, {"name": "59312", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59312"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-3789", "datePublished": "2009-10-26T17:00:00", "dateReserved": "2009-10-26T00:00:00", "dateUpdated": "2024-08-07T06:38:30.399Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opendocman:opendocman:1.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "4E59FF8B-094D-4C8E-A8F5-D6177D4924CA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en OpenDocMan v1.2.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro \"last_message\" sobre (1) add.php, (2) toBePublished.php, (3) index.php, y (4) admin.php; el par\u00e1metro PATH_INFO sobre la direcci\u00f3n Web por defecto (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, y (12) view_file.php; y (13) el par\u00e1metro caller en una acci\u00f3n Modify User sobre user.php."}], "id": "CVE-2009-3789", "lastModified": "2017-08-17T01:31:16.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-10-26T17:30:00.610", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/59302"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59303"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59304"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59305"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59306"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59307"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59308"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59309"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59310"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59311"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/59312"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/30750"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "http://www.securityfocus.com/bid/36777"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53887"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}