CVE-2008-3315 - OpenCVE

Vendors	Products
Claroline	Claroline

Link	Resource
http://secunia.com/advisories/31201	Vendor Advisory
http://securityreason.com/securityalert/4041
http://sourceforge.net/project/shownotes.php?release_id=615030	Patch
http://wiki.claroline.net/index.php/Changelog_1.8.x#Modification_between_claroline_1.8.10_and_1.8.11
http://www.securityfocus.com/archive/1/494655/100/0/threaded
http://www.securityfocus.com/bid/30346	Exploit Patch
http://www.vupen.com/english/advisories/2008/2167/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/43962

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-07-22T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the (1) query string to (a) announcements/messages.php; (b) lostPassword.php and (c) profile.php in auth/; (d) calendar/myagenda.php; (e) group/group.php; (f) learningPath.php, (g) learningPathList.php, and (h) module.php in learnPath/; (i) phpbb/index.php; (j) courseLog.php, (k) course_access_details.php, (l) delete_course_stats.php, (m) userLog.php, and (n) user_access_details.php in tracking/; (o) user/user.php; and (p) user/userInfo.php; the (2) view parameter to (q) tracking/courseLog.php; and the (3) toolId parameter to (r) tracking/toolaccess_details.php. NOTE: this may overlap CVE-2006-3257 and CVE-2005-1374."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20080722 [DSECRG-08-032] Claroline 1.8.10 Multiple XSS Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/494655/100/0/threaded"}, {"name": "30346", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/30346"}, {"name": "4041", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/4041"}, {"name": "31201", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31201"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/project/shownotes.php?release_id=615030"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://wiki.claroline.net/index.php/Changelog_1.8.x#Modification_between_claroline_1.8.10_and_1.8.11"}, {"name": "ADV-2008-2167", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2167/references"}, {"name": "claroline-courselog-toolaccess-xss(43962)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43962"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-3315", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the (1) query string to (a) announcements/messages.php; (b) lostPassword.php and (c) profile.php in auth/; (d) calendar/myagenda.php; (e) group/group.php; (f) learningPath.php, (g) learningPathList.php, and (h) module.php in learnPath/; (i) phpbb/index.php; (j) courseLog.php, (k) course_access_details.php, (l) delete_course_stats.php, (m) userLog.php, and (n) user_access_details.php in tracking/; (o) user/user.php; and (p) user/userInfo.php; the (2) view parameter to (q) tracking/courseLog.php; and the (3) toolId parameter to (r) tracking/toolaccess_details.php. NOTE: this may overlap CVE-2006-3257 and CVE-2005-1374."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20080722 [DSECRG-08-032] Claroline 1.8.10 Multiple XSS Vulnerabilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/494655/100/0/threaded"}, {"name": "30346", "refsource": "BID", "url": "http://www.securityfocus.com/bid/30346"}, {"name": "4041", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/4041"}, {"name": "31201", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31201"}, {"name": "http://sourceforge.net/project/shownotes.php?release_id=615030", "refsource": "CONFIRM", "url": "http://sourceforge.net/project/shownotes.php?release_id=615030"}, {"name": "http://wiki.claroline.net/index.php/Changelog_1.8.x#Modification_between_claroline_1.8.10_and_1.8.11", "refsource": "CONFIRM", "url": "http://wiki.claroline.net/index.php/Changelog_1.8.x#Modification_between_claroline_1.8.10_and_1.8.11"}, {"name": "ADV-2008-2167", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2167/references"}, {"name": "claroline-courselog-toolaccess-xss(43962)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43962"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-3315", "datePublished": "2008-07-25T16:00:00", "dateReserved": "2008-07-25T00:00:00", "dateUpdated": "2018-10-11T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:claroline:claroline:1.8.10:*:*:*:*:*:*:*", "matchCriteriaId": "5F3A93AA-BDC0-42A1-BCCA-4C768706D813", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the (1) query string to (a) announcements/messages.php; (b) lostPassword.php and (c) profile.php in auth/; (d) calendar/myagenda.php; (e) group/group.php; (f) learningPath.php, (g) learningPathList.php, and (h) module.php in learnPath/; (i) phpbb/index.php; (j) courseLog.php, (k) course_access_details.php, (l) delete_course_stats.php, (m) userLog.php, and (n) user_access_details.php in tracking/; (o) user/user.php; and (p) user/userInfo.php; the (2) view parameter to (q) tracking/courseLog.php; and the (3) toolId parameter to (r) tracking/toolaccess_details.php. NOTE: this may overlap CVE-2006-3257 and CVE-2005-1374."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Claroline 1.8.10 permite a atacantes remotos inyectar secuencias de comandos Web o HTML mediante (1) la cadena query en (a) announcements/messages.php; (b) lostPassword.php y (c) profile.php de auth/; (d) calendar/myagenda.php; (e) group/group.php; (f) learningPath.php, (g) learningPathList.php y (h) module.php de learnPath/; (i) phpbb/index.php; (j) courseLog.php, (k) course_access_details.php, (l) delete_course_stats.php, (m) userLog.php y (n) user_access_details.php de tracking/; (o) user/user.php y (p) user/userInfo.php; el par\u00e1metro (2) view en (q) tracking/courseLog.php y el par\u00e1metro (3) toolId en (r) tracking/toolaccess_details.php. NOTE: Puede que esta vulnerabilidad se solape con CVE-2006-3257 y CVE-2005-1374."}], "id": "CVE-2008-3315", "lastModified": "2018-10-11T20:47:56.897", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-07-25T16:41:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/31201"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/4041"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://sourceforge.net/project/shownotes.php?release_id=615030"}, {"source": "cve@mitre.org", "url": "http://wiki.claroline.net/index.php/Changelog_1.8.x#Modification_between_claroline_1.8.10_and_1.8.11"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/494655/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "http://www.securityfocus.com/bid/30346"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/2167/references"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43962"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

JSON object

JSON object

JSON object