Detections
Analytics

YaBB 1 GOLD SP 1.3.2 Multiple Vulnerabilities

low Nessus Plugin ID 14782

Language:

Synopsis

The remote web server contains a CGI application that suffers from multiple vulnerabilities.

Description

The 'YaBB.pl' CGI is installed. This version is affected by a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed.

Another flaw in YaBB may allow an attacker to execute malicious administrative commands on the remote host by sending malformed IMG tags in posts to the remote YaBB forum and waiting for the forum administrator to view one of the posts.

Solution

Unknown at this time.

See Also

https://seclists.org/bugtraq/2004/Sep/226

Plugin Details

Severity: Low

ID: 14782

File Name: yabb_xss.nasl

Version: 1.31

Type: remote

Family: CGI abuses

Published: 9/21/2004

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:yabb:yabb

Required KB Items: Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 9/16/2004

Reference Information

CVE: CVE-2004-2402, CVE-2004-2403

BID: 11214, 11215

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990