CVE-2005-4357 - OpenCVE

Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with " (quote) characters and active attributes such as onmouseover.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Phpbb Group	Phpbb

Configuration 1 [-]

cpe:2.3:a:phpbb_group:phpbb:2.0.18:*:*:*:*:*:*:*

References

Link	Resource
http://marc.info/?l=full-disclosure&m=113484567432679&w=2
http://secunia.com/advisories/18125	Vendor Advisory
http://secunia.com/advisories/18252
http://securityreason.com/achievement_securityalert/29
http://securityreason.com/securityalert/269	Exploit Vendor Advisory
http://www.osvdb.org/21803
http://www.phpbb.com/phpBB/viewtopic.php?t=352966
http://www.securityfocus.com/archive/1/420537/100/0/threaded
http://www.vupen.com/english/advisories/2005/2991
http://www.vupen.com/english/advisories/2006/0010

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2005-12-20T01:00:00

Updated: 2018-10-19T14:57:01

Reserved: 2005-12-20T00:00:00

Link: CVE-2005-4357

JSON object: View

NVD Information

Status : Modified

Published: 2005-12-20T01:03:00.000

Modified: 2018-10-19T15:40:51.973

Link: CVE-2005-4357

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2005-12-16T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when \"Allowed HTML tags\" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with \" (quote) characters and active attributes such as onmouseover."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-19T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20051217 phpBB 2.0.18 XSS and Full Path Disclosure", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://marc.info/?l=full-disclosure&m=113484567432679&w=2"}, {"name": "ADV-2005-2991", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2005/2991"}, {"name": "18252", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/18252"}, {"name": "20051230 phpbb2.0.19 fixes security issues", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/420537/100/0/threaded"}, {"name": "18125", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/18125"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.phpbb.com/phpBB/viewtopic.php?t=352966"}, {"tags": ["x_refsource_MISC"], "url": "http://securityreason.com/securityalert/269"}, {"name": "21803", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/21803"}, {"name": "20051217 phpBB 2.0.18 XSS and Full Path Disclosure", "tags": ["third-party-advisory", "x_refsource_SREASONRES"], "url": "http://securityreason.com/achievement_securityalert/29"}, {"name": "ADV-2006-0010", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/0010"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2005-4357", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when \"Allowed HTML tags\" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with \" (quote) characters and active attributes such as onmouseover."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20051217 phpBB 2.0.18 XSS and Full Path Disclosure", "refsource": "FULLDISC", "url": "http://marc.info/?l=full-disclosure&m=113484567432679&w=2"}, {"name": "ADV-2005-2991", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2005/2991"}, {"name": "18252", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/18252"}, {"name": "20051230 phpbb2.0.19 fixes security issues", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/420537/100/0/threaded"}, {"name": "18125", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/18125"}, {"name": "http://www.phpbb.com/phpBB/viewtopic.php?t=352966", "refsource": "CONFIRM", "url": "http://www.phpbb.com/phpBB/viewtopic.php?t=352966"}, {"name": "http://securityreason.com/securityalert/269", "refsource": "MISC", "url": "http://securityreason.com/securityalert/269"}, {"name": "21803", "refsource": "OSVDB", "url": "http://www.osvdb.org/21803"}, {"name": "20051217 phpBB 2.0.18 XSS and Full Path Disclosure", "refsource": "SREASONRES", "url": "http://securityreason.com/achievement_securityalert/29"}, {"name": "ADV-2006-0010", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/0010"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2005-4357", "datePublished": "2005-12-20T01:00:00", "dateReserved": "2005-12-20T00:00:00", "dateUpdated": "2018-10-19T14:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpbb_group:phpbb:2.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "70E7ED09-FDD7-4FC2-AD0F-4B31E170F3F5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when \"Allowed HTML tags\" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with \" (quote) characters and active attributes such as onmouseover."}], "id": "CVE-2005-4357", "lastModified": "2018-10-19T15:40:51.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2005-12-20T01:03:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=full-disclosure&m=113484567432679&w=2"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/18125"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/18252"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/achievement_securityalert/29"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://securityreason.com/securityalert/269"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/21803"}, {"source": "cve@mitre.org", "url": "http://www.phpbb.com/phpBB/viewtopic.php?t=352966"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/420537/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2005/2991"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/0010"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}