CVE-2009-3789

medium

Description

Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/53887

http://secunia.com/advisories/30750

http://osvdb.org/59312

http://osvdb.org/59311

http://osvdb.org/59310

http://osvdb.org/59309

http://osvdb.org/59308

http://osvdb.org/59307

http://osvdb.org/59306

http://osvdb.org/59305

http://osvdb.org/59304

http://osvdb.org/59303

http://osvdb.org/59302

Details

Source: Mitre, NVD

Published: 2009-10-26

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.03544