CVE-2008-2335 - OpenCVE

Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Vastal	Phpvid

Configuration 1 [-]

OR	cpe:2.3:a:vastal:phpvid:1.1:::::::*
	cpe:2.3:a:vastal:phpvid:1.2:::::::*

References

Link	Resource
http://holisticinfosec.org/content/view/65/45/
http://osvdb.org/show/osvdb/45171
http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html
http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html	Exploit
http://seclists.org/fulldisclosure/2015/Mar/59	Exploit
http://secunia.com/advisories/30152	Vendor Advisory
http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://www.exploit-db.com/exploits/27519
http://www.securityfocus.com/bid/29238
http://www.vupen.com/english/advisories/2008/2552
https://exchange.xforce.ibmcloud.com/vulnerabilities/42450
https://www.exploit-db.com/exploits/6422

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2008-05-19T10:00:00

Updated: 2017-09-28T12:57:01

Reserved: 2008-05-19T00:00:00

Link: CVE-2008-2335

JSON object: View

NVD Information

Status : Modified

Published: 2008-05-19T13:20:00.000

Modified: 2017-09-29T01:31:07.147

Link: CVE-2008-2335

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-05-15T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "phpvid-query-xss(42450)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42450"}, {"name": "27519", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/27519"}, {"name": "ADV-2008-2552", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2552"}, {"tags": ["x_refsource_MISC"], "url": "http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/"}, {"name": "30152", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30152"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html"}, {"name": "20150310 Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2015/Mar/59"}, {"name": "29238", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/29238"}, {"name": "6422", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/6422"}, {"tags": ["x_refsource_MISC"], "url": "http://holisticinfosec.org/content/view/65/45/"}, {"name": "45171", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/show/osvdb/45171"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-2335", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "phpvid-query-xss(42450)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42450"}, {"name": "27519", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/27519"}, {"name": "ADV-2008-2552", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2552"}, {"name": "http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/", "refsource": "MISC", "url": "http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/"}, {"name": "30152", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30152"}, {"name": "http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html"}, {"name": "20150310 Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2015/Mar/59"}, {"name": "29238", "refsource": "BID", "url": "http://www.securityfocus.com/bid/29238"}, {"name": "6422", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/6422"}, {"name": "http://holisticinfosec.org/content/view/65/45/", "refsource": "MISC", "url": "http://holisticinfosec.org/content/view/65/45/"}, {"name": "45171", "refsource": "OSVDB", "url": "http://osvdb.org/show/osvdb/45171"}, {"name": "http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-2335", "datePublished": "2008-05-19T10:00:00", "dateReserved": "2008-05-19T00:00:00", "dateUpdated": "2017-09-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vastal:phpvid:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "465C4D44-E4C0-4662-A660-523EEFA115B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vastal:phpvid:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "535CBED6-BFC6-42F4-BA3E-3967F344ED0E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected."}, {"lang": "es", "value": "Vulnerabilidad de XSS en search_results.php en Vastal I-Tech phpVID 1.1 y 1.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del parametro query. NOTA: algunos de estos detalles han sido obtenidos de informaci\u00f3n de terceros. NOTA: m\u00e1s tarde se inform\u00f3 que tambi\u00e9n se ve afectada la versi\u00f3n 1.2.3."}], "id": "CVE-2008-2335", "lastModified": "2017-09-29T01:31:07.147", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-05-19T13:20:00.000", "references": [{"source": "cve@mitre.org", "url": "http://holisticinfosec.org/content/view/65/45/"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/show/osvdb/45171"}, {"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2015/Mar/59"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/30152"}, {"source": "cve@mitre.org", "url": "http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/"}, {"source": "cve@mitre.org", "url": "http://www.exploit-db.com/exploits/27519"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/29238"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/2552"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42450"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/6422"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}