frontpage -- cross site scripting vulnerability

2006-04-1200:00:00

vuxml.freebsd.org

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.167 Low

EPSS

Percentile

96.1%

JSON

Esteban Martinez Fayo reports:

The FrontPage Server Extensions 2002 (included in Windows
Sever 2003 IIS 6.0 and available as a separate download
for Windows 2000 and XP) has a web page
/_vti_bin/_vti_adm/fpadmdll.dll that is used for
administrative purposes. This web page is vulnerable to
cross site scripting attacks allowing an attacker to run
client-side script on behalf of an FPSE user. If the
victim is an administrator, the attacker could take
complete control of a Front Page Server Extensions 2002
server.
To exploit the vulnerability an attacker can send a
specially crafted e-mail message to a FPSE user and then
persuade the user to click a link in the e-mail
message.
In addition, this vulnerability can be exploited if an
attacker hosts a malicious website and persuade the user
to visit it.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchfrontpage< 5.0.2.4803UNKNOWN
FreeBSDanynoarchmod_frontpage13< 5.0.2.4803UNKNOWN
FreeBSDanynoarchmod_frontpage20< 5.0.2.4803UNKNOWN
FreeBSDanynoarchmod_frontpage21< 5.0.2.4803UNKNOWN
FreeBSDanynoarchmod_frontpage22< 5.0.2.4803UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	frontpage	< 5.0.2.4803	UNKNOWN
FreeBSD	any	noarch	mod_frontpage13	< 5.0.2.4803	UNKNOWN
FreeBSD	any	noarch	mod_frontpage20	< 5.0.2.4803	UNKNOWN
FreeBSD	any	noarch	mod_frontpage21	< 5.0.2.4803	UNKNOWN
FreeBSD	any	noarch	mod_frontpage22	< 5.0.2.4803	UNKNOWN