ID CVE-2006-0463 Type cve Reporter cve@mitre.org Modified 2008-09-05T20:59:00
Description
Cross-site scripting (XSS) vulnerability in IdeoContent Manager allows remote attackers to inject arbitrary web script or HTML via the (1) goto_id parameter to index.php or (2) page parameter to news_full.php.
{"osvdb": [{"lastseen": "2017-04-28T13:20:19", "bulletinFamily": "software", "description": "## Vulnerability Description\nIdeoContent Manager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'goto_id' variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nIdeoContent Manager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'goto_id' variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[target]/index.php?goto_id=\"><script>alert(document.cookie)</script>\n## References:\nVendor URL: http://www.ideosoft.ro/\n[Related OSVDB ID: 22712](https://vulners.com/osvdb/OSVDB:22712)\n[Related OSVDB ID: 22714](https://vulners.com/osvdb/OSVDB:22714)\nOther Advisory URL: http://osvdb.org/ref/22/22712-ideocontent.txt\n[CVE-2006-0463](https://vulners.com/cve/CVE-2006-0463)\n", "modified": "2006-01-18T00:00:00", "published": "2006-01-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:22713", "id": "OSVDB:22713", "type": "osvdb", "title": "IdeoContent Manager index.php goto_id Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:19", "bulletinFamily": "software", "description": "## Vulnerability Description\nIdeoContent Manager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'page' variable upon submission to the 'news_full.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nIdeoContent Manager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'page' variable upon submission to the 'news_full.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[target]/news_full.php?&page=2\"><script>alert(document.cookie)</script>\n## References:\nVendor URL: http://www.ideosoft.ro/\n[Related OSVDB ID: 22713](https://vulners.com/osvdb/OSVDB:22713)\n[Related OSVDB ID: 22714](https://vulners.com/osvdb/OSVDB:22714)\nOther Advisory URL: http://osvdb.org/ref/22/22712-ideocontent.txt\n[CVE-2006-0463](https://vulners.com/cve/CVE-2006-0463)\n", "modified": "2006-01-18T00:00:00", "published": "2006-01-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:22712", "id": "OSVDB:22712", "type": "osvdb", "title": "IdeoContent Manager news_full.php page Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
