[VIM] CVE-2006-1854 (Bluepay) vendor dispute
smoore at securityglobal.net
Fri May 12 23:57:17 EDT 2006
Oh, and there is also this problem:
And this is all before you enter the front door ...
Stuart Moore wrote:
> The script seems to remove the greater than and less than characters.
> But, your onmouseover example from the previous dispute works just fine
> in the username field:
> Steven M. Christey wrote:
>> Following the traditional Friday dispute pattern... I have not
>> investigated yet.
>> a r0t production.
>> - Steve
>> ---------- Forwarded message ----------
>> Date: Fri, 12 May 2006 15:54:11 -0500
>> From: Chris Jansen
>> To: cve at mitre.org
>> Cc: nvd at nist.gov
>> Subject: CVE-2006-1854 - Dispute
>> To Whom it May Concern,
>> As an authorized representative of Bluepay, Inc, as well as the primary
>> programmer on the Bluepay staff, I'd like to formally dispute
>> which reads as follows:
>> "Multiple cross-site scripting (XSS) vulnerabilities in BluePay
>> Manager 2.0
>> and earlier allow remote attackers to inject arbitrary web script or HTML
>> during a login action via the (1) Account Name and (2) Username field."
>> Reference: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1854
>> I doubt this vulnerability ever existed, but assuming it did exist at
>> point, it does not exist currently in the Bluepay 2.0 product.
>> Please let me know what steps I can take next to have this entry
>> listed as
>> vendor-disputed, or outright incorrect information.
>> -Chris Jansen
>> Senior Analyst
>> Bluepay, Inc
>> 184 N Shuman Blvd
>> Naperville, IL 60563
More information about the VIM