[VIM] CVE-2006-1854 (Bluepay) vendor dispute

Stuart Moore smoore at securityglobal.net
Fri May 12 23:52:32 EDT 2006


Steve,

The script seems to remove the greater than and less than characters. 
But, your onmouseover example from the previous dispute works just fine 
in the username field:

" onmouseover="javascript:alert('hi')"

:-)

Stuart


Steven M. Christey wrote:
> Following the traditional Friday dispute pattern...  I have not
> investigated yet.
> 
> a r0t production.
> 
> - Steve
> 
> 
> ---------- Forwarded message ----------
> Date: Fri, 12 May 2006 15:54:11 -0500
> From: Chris Jansen
> To: cve at mitre.org
> Cc: nvd at nist.gov
> Subject: CVE-2006-1854 - Dispute
> 
> To Whom it May Concern,
> 
>   As an authorized representative of Bluepay, Inc, as well as the primary
> programmer on the Bluepay staff, I'd like to formally dispute CVE-2006-1854,
> which reads as follows:
> 
> "Multiple cross-site scripting (XSS) vulnerabilities in BluePay Manager 2.0
> and earlier allow remote attackers to inject arbitrary web script or HTML
> during a login action via the (1) Account Name and (2) Username field."
> 
> Reference: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1854
> 
> I doubt this vulnerability ever existed, but assuming it did exist at some
> point, it does not exist currently in the Bluepay 2.0 product.
> 
> Please let me know what steps I can take next to have this entry listed as
> vendor-disputed, or outright incorrect information.
> 
> -Chris Jansen
> 630-723-4093
> 
> Senior Analyst
> Bluepay, Inc
> 184 N Shuman Blvd
> Naperville, IL 60563
> 


More information about the VIM mailing list