CVE-2009-2733
5.7 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.014 Low
EPSS
Percentile
86.5%
Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.
References
secunia.com/advisories/37035
securitytracker.com/id?1023017
www.achievo.org/download/releasenotes/1_4_0
www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/
www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt
www.securityfocus.com/archive/1/507133/100/0/threaded
www.securityfocus.com/bid/36661
exchange.xforce.ibmcloud.com/vulnerabilities/53744
exchange.xforce.ibmcloud.com/vulnerabilities/53745
Related
5.7 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.014 Low
EPSS
Percentile
86.5%