Search...

CVE-2005-4282

2005-12-16T11:03:00

ID CVE-2005-4282
Type cve
Reporter cve@mitre.org
Modified 2011-03-08T02:27:00

Description

Cross-site scripting (XSS) vulnerability in Zaygo DomainCart 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML, possibly via the root parameter to zaygo.cgi.

JSON Vulners Source

Initial Source

{"id": "CVE-2005-4282", "bulletinFamily": "NVD", "title": "CVE-2005-4282", "description": "Cross-site scripting (XSS) vulnerability in Zaygo DomainCart 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML, possibly via the root parameter to zaygo.cgi.", "published": "2005-12-16T11:03:00", "modified": "2011-03-08T02:27:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4282", "reporter": "cve@mitre.org", "references": ["http://www.vupen.com/english/advisories/2005/2917", "http://www.securityfocus.com/bid/15893", "http://secunia.com/advisories/18035", "http://www.osvdb.org/21729", "http://pridels0.blogspot.com/2005/12/domaincart-xss.html"], "cvelist": ["CVE-2005-4282"], "type": "cve", "lastseen": "2021-02-02T05:24:40", "edition": 6, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:21729"]}], "modified": "2021-02-02T05:24:40", "rev": 2}, "score": {"value": 4.4, "vector": "NONE", "modified": "2021-02-02T05:24:40", "rev": 2}, "vulnersScore": 4.4}, "cpe": ["cpe:/a:zaygo:domaincart:2.0"], "affectedSoftware": [{"cpeName": "zaygo:domaincart", "name": "zaygo domaincart", "operator": "le", "version": "2.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:zaygo:domaincart:2.0:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:zaygo:domaincart:2.0:*:*:*:*:*:*:*", "versionEndIncluding": "2.0", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "15893", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/15893"}, {"name": "21729", "refsource": "OSVDB", "tags": [], "url": "http://www.osvdb.org/21729"}, {"name": "ADV-2005-2917", "refsource": "VUPEN", "tags": [], "url": "http://www.vupen.com/english/advisories/2005/2917"}, {"name": "http://pridels0.blogspot.com/2005/12/domaincart-xss.html", "refsource": "MISC", "tags": [], "url": "http://pridels0.blogspot.com/2005/12/domaincart-xss.html"}, {"name": "18035", "refsource": "SECUNIA", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/18035"}]}

{"osvdb": [{"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "cvelist": ["CVE-2005-4281", "CVE-2005-4282"], "edition": 1, "description": "## Vulnerability Description\nDomainCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the root variable upon submission to the zaygo.cgi script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDomainCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the root variable upon submission to the zaygo.cgi script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nAttempted to reproduce on their demo page, but failed. Anything after the semicolon appears to get stripped off, and I can't think of useful XSS attacks that don't use them.\n## References:\nVendor URL: http://www.zaygo.com/domain-shopping-cart/domaincart/\nVendor URL: http://www.zaygo.com/hosting-tools/hostingcart/\n[Secunia Advisory ID:18035](https://secuniaresearch.flexerasoftware.com/advisories/18035/)\n[Secunia Advisory ID:18036](https://secuniaresearch.flexerasoftware.com/advisories/18036/)\nOther Advisory URL: http://pridels.blogspot.com/2005/12/hostingcart-xss.html\nOther Advisory URL: http://pridels.blogspot.com/2005/12/domaincart-xss.html\nFrSIRT Advisory: ADV-2005-2916\n[CVE-2005-4281](https://vulners.com/cve/CVE-2005-4281)\n[CVE-2005-4282](https://vulners.com/cve/CVE-2005-4282)\n", "modified": "2005-12-15T19:13:39", "published": "2005-12-15T19:13:39", "href": "https://vulners.com/osvdb/OSVDB:21729", "id": "OSVDB:21729", "title": "Zaygo Multiple Cart zaygo.cgi root Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}