CVE-2005-3818

medium

Description

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER['PHP_SELF'] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/23363

https://exchange.xforce.ibmcloud.com/vulnerabilities/23362

http://www.vupen.com/english/advisories/2005/2569

http://www.securityfocus.com/archive/1/417730/30/0/threaded

http://www.osvdb.org/21230

http://www.osvdb.org/21229

http://www.osvdb.org/21228

http://www.osvdb.org/21227

http://securitytracker.com/id?1015271

http://secunia.com/advisories/17693

Details

Source: Mitre, NVD

Published: 2005-11-26

Updated: 2018-10-19

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium