[VIM] Vendor ACK for Emefa Guestbook 1.2 XSS

Steven M. Christey coley at mitre.org
Sun Aug 21 16:37:45 EDT 2005


Ref: CAN-2005-2650 (forthcoming; see below)

The vendor's front page for the guestbook includes the item "Emefa
Guestbook News!  Recent Bug fix to script. 08/18/2005".  It links to
the original advisory and says "A recent bug that caused html and
javascript injection into 'sign.asp' has been fixed."

http://www.emefa.myserver.org/comp/guestview.php


- Steve

======================================================
Candidate: CAN-2005-2650
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2650
Reference: MISC:http://packetstormsecurity.org/0508-advisories/emefaGuest.txt
Reference: MISC:http://systemsecure.org/ssforum/viewtopic.php?t=91
Reference: CONFIRM:http://www.emefa.myserver.org/comp/guestview.php
Reference: SECUNIA:16489
Reference: URL:http://secunia.com/advisories/16489

Cross-site scripting (XSS) vulnerability in sign.asp in Emefa
Guestbook 1.2 allows remote attackers to inject arbitrary web script
or HTML via the (1) name, (2) location, and (3) email parameters.




More information about the VIM mailing list