ID CVE-2005-2063 Type cve Reporter cve@mitre.org Modified 2016-10-18T03:24:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in ActiveBuyAndSell 6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Title parameter to sendpassword.asp or (2) Keyword field in search.asp.
{"osvdb": [{"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nActiveBuyandSell contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Keyword' variable upon submission to the 'search.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nActiveBuyandSell contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Keyword' variable upon submission to the 'search.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/ebuyandsell/search.asp\nKeyword : <script>alert('dudul')</script>\n## References:\nVendor URL: http://ActiveWebSoftwares.com\n[Secunia Advisory ID:15837](https://secuniaresearch.flexerasoftware.com/advisories/15837/)\n[Related OSVDB ID: 17548](https://vulners.com/osvdb/OSVDB:17548)\n[Related OSVDB ID: 17547](https://vulners.com/osvdb/OSVDB:17547)\n[Related OSVDB ID: 17552](https://vulners.com/osvdb/OSVDB:17552)\n[Related OSVDB ID: 17553](https://vulners.com/osvdb/OSVDB:17553)\n[Related OSVDB ID: 17550](https://vulners.com/osvdb/OSVDB:17550)\n[Related OSVDB ID: 17551](https://vulners.com/osvdb/OSVDB:17551)\n[Related OSVDB ID: 17549](https://vulners.com/osvdb/OSVDB:17549)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0209.html\n[CVE-2005-2063](https://vulners.com/cve/CVE-2005-2063)\n", "modified": "2005-06-24T05:20:50", "published": "2005-06-24T05:20:50", "href": "https://vulners.com/osvdb/OSVDB:17554", "id": "OSVDB:17554", "title": "ActiveBuyandSell search.asp Keyword Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nActiveBuyandSell contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Title' variable upon submission to the 'sendpassword.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nActiveBuyandSell contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Title' variable upon submission to the 'sendpassword.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/ebuyandsell/sendpassword.asp?Table=Buyer&Title=<script>alert('test')</script>&EmailFld=BEmail\n## References:\nVendor URL: http://ActiveWebSoftwares.com\n[Secunia Advisory ID:15837](https://secuniaresearch.flexerasoftware.com/advisories/15837/)\n[Related OSVDB ID: 17548](https://vulners.com/osvdb/OSVDB:17548)\n[Related OSVDB ID: 17554](https://vulners.com/osvdb/OSVDB:17554)\n[Related OSVDB ID: 17547](https://vulners.com/osvdb/OSVDB:17547)\n[Related OSVDB ID: 17552](https://vulners.com/osvdb/OSVDB:17552)\n[Related OSVDB ID: 17550](https://vulners.com/osvdb/OSVDB:17550)\n[Related OSVDB ID: 17551](https://vulners.com/osvdb/OSVDB:17551)\n[Related OSVDB ID: 17549](https://vulners.com/osvdb/OSVDB:17549)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0209.html\nISS X-Force ID: 21141\n[CVE-2005-2063](https://vulners.com/cve/CVE-2005-2063)\nBugtraq ID: 14068\n", "modified": "2005-06-24T05:20:50", "published": "2005-06-24T05:20:50", "href": "https://vulners.com/osvdb/OSVDB:17553", "id": "OSVDB:17553", "title": "ActiveBuyandSell sendpassword.asp Title Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}