phpScheduleIt 1.0.0 RC1 Multiple XSS

This script is Copyright (C) 2004-2012 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a PHP application that is affected by
multiple cross-site scripting vulnerabilities.

Description :

According to its banner, the version of phpScheduleIt on the remote
host is earlier than 1.0.0. Such versions are vulnerable to HTML
injection issues. For example, an attacker may add malicious HTML and
JavaScript code in a schedule page if he has the right to edit the
'Schedule Name' field. This field is not properly sanitized. The
malicious code would be executed by a victim web browser displaying
this schedule.

See also :

http://archives.neohapsis.com/archives/bugtraq/2004-08/0417.html
http://archives.neohapsis.com/archives/bugtraq/2004-09/0216.html

Solution :

Upgrade to phpScheduleIt version 1.0.0 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 14613 ()

Bugtraq ID: 11080

CVE ID: CVE-2004-1651