phpScheduleIt < 1.0.0 New User Registration HTML Injection

Medium Nessus Network Monitor Plugin ID 2191

Synopsis

The remote host is vulnerable to an HTML injection attack.

Description

The remote host is running phpScheduleIt. According to its banner, this version is reported vulnerable to an HTML injection issue. An attacker may add malicious HTML and Javascript code in a schedule page if they have the right to edit the 'Schedule Name' field. This field is not properly sanitized. The malicious code would be executed by a victim's web browser displaying this schedule.

Solution

Upgrade to phpScheduleIt 1.0.0 or higher.

Plugin Details

Severity: Medium

ID: 2191

Family: CGI

Published: 2004/09/01

Modified: 2016/01/21

Dependencies: 1442

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:H/RL:O/RC:C

Reference Information

CVE: CVE-2004-1651

BID: 11080