Lucene search

[email protected]CVE-2008-3842

HistoryAug 27, 2008 - 8:41 p.m.

CVE-2008-3842

2008-08-2720:41:00

CWE-79

[email protected]

web.nvd.nist.gov

asp.net

request validation

validaterequest

xss

cross-site scripting

nvd

cve-2008-3842

6 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.404 Medium

EPSS

Percentile

97.3%

JSON

Request Validation (aka the ValidateRequest filters) in ASP.NET in Microsoft .NET Framework without the MS07-040 update does not properly detect dangerous client input, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a query string containing a “</” (less-than slash) sequence.

CPENameOperatorVersion
microsoft:.net_frameworkmicrosoft .net frameworkeq2.0
microsoft:.net_frameworkmicrosoft .net frameworkeq1.1
microsoft:.net_frameworkmicrosoft .net frameworkeq1.0

CPE	Name	Operator	Version
microsoft:.net_framework	microsoft .net framework	eq	2.0
microsoft:.net_framework	microsoft .net framework	eq	1.1
microsoft:.net_framework	microsoft .net framework	eq	1.0

References

securityreason.com/securityalert/4193

www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf

www.securityfocus.com/archive/1/495667/100/0/threaded

exchange.xforce.ibmcloud.com/vulnerabilities/44741

6 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.404 Medium

EPSS

Percentile

97.3%

JSON

Related for CVE-2008-3842

prion1 nessus1