Jose Antonio Coret reports that GForge contains multiple
Cross Site Scripting vulnerabilities and an e-mail flood
vulnerability:
The login form is also vulnerable to XSS (Cross Site
Scripting) attacks. This may be used to launch phising
attacks by sending HTML e-mails (i.e.: saying that you
need to upgrade to the latest GForge version due to a
security problem) and putting in the e-mail an HTML link
that points to an specially crafted url that inserts an
html form in the GForge login page and when the user press
the login button, he/she send the credentials to the
attackers website.
The 'forgot your password?' feature allows a remote user
to load a certain URL to cause the service to send a
validation e-mail to the specified user's e-mail address.
There is no limit to the number of messages sent over a
period of time, so a remote user can flood the target
user's secondary e-mail address. E-Mail Flood, E-Mail
bomber.
{"id": "D7CD5015-08C9-11DA-BC08-0001020EED82", "vendorId": null, "type": "freebsd", "bulletinFamily": "unix", "title": "gforge -- XSS and email flood vulnerabilities", "description": "\n\nJose Antonio Coret reports that GForge contains multiple\n\t Cross Site Scripting vulnerabilities and an e-mail flood\n\t vulnerability:\n\nThe login form is also vulnerable to XSS (Cross Site\n\t Scripting) attacks. This may be used to launch phising\n\t attacks by sending HTML e-mails (i.e.: saying that you\n\t need to upgrade to the latest GForge version due to a\n\t security problem) and putting in the e-mail an HTML link\n\t that points to an specially crafted url that inserts an\n\t html form in the GForge login page and when the user press\n\t the login button, he/she send the credentials to the\n\t attackers website.\nThe 'forgot your password?' feature allows a remote user\n\t to load a certain URL to cause the service to send a\n\t validation e-mail to the specified user's e-mail address.\n\t There is no limit to the number of messages sent over a\n\t period of time, so a remote user can flood the target\n\t user's secondary e-mail address. E-Mail Flood, E-Mail\n\t bomber.\n\n\n", "published": "2005-07-27T00:00:00", "modified": "2005-07-27T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "href": "https://vuxml.freebsd.org/freebsd/d7cd5015-08c9-11da-bc08-0001020eed82.html", "reporter": "FreeBSD", "references": ["http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350"], "cvelist": ["CVE-2005-2430", "CVE-2005-2431"], "immutableFields": [], "lastseen": "2022-01-19T16:03:50", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2430", "CVE-2005-2431"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1094-1:4A94D"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-1094.NASL", "FREEBSD_PKG_D7CD501508C911DABC080001020EED82.NASL", "GFORGE_45.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:55024", "OPENVAS:56925"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2005-2430", "UB:CVE-2005-2431"]}], "rev": 4}, "score": {"value": 4.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2005-2430", "CVE-2005-2431"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-1094.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:55024"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2005-2431"]}]}, "exploitation": null, "vulnersScore": 4.6}, "affectedPackage": [], "_state": {"dependencies": 1647589307, "score": 0}}
{"nessus": [{"lastseen": "2021-08-19T12:59:52", "description": "Jose Antonio Coret reports that GForge contains multiple Cross Site Scripting vulnerabilities and an e-mail flood vulnerability :\n\nThe login form is also vulnerable to XSS (Cross Site Scripting) attacks. This may be used to launch phising attacks by sending HTML e-mails (i.e.: saying that you need to upgrade to the latest GForge version due to a security problem) and putting in the e-mail an HTML link that points to an specially crafted url that inserts an html form in the GForge login page and when the user press the login button, he/she send the credentials to the attackers website.\n\nThe 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address. E-Mail Flood, E-Mail bomber.", "cvss3": {"score": null, "vector": null}, "published": "2011-10-14T00:00:00", "type": "nessus", "title": "FreeBSD : gforge -- XSS and email flood vulnerabilities (d7cd5015-08c9-11da-bc08-0001020eed82)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-2430", "CVE-2005-2431"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:gforge", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_D7CD501508C911DABC080001020EED82.NASL", "href": "https://www.tenable.com/plugins/nessus/56498", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2013 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56498);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-2430\", \"CVE-2005-2431\");\n script_bugtraq_id(14405);\n\n script_name(english:\"FreeBSD : gforge -- XSS and email flood vulnerabilities (d7cd5015-08c9-11da-bc08-0001020eed82)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jose Antonio Coret reports that GForge contains multiple Cross Site\nScripting vulnerabilities and an e-mail flood vulnerability :\n\nThe login form is also vulnerable to XSS (Cross Site Scripting)\nattacks. This may be used to launch phising attacks by sending HTML\ne-mails (i.e.: saying that you need to upgrade to the latest GForge\nversion due to a security problem) and putting in the e-mail an HTML\nlink that points to an specially crafted url that inserts an html form\nin the GForge login page and when the user press the login button,\nhe/she send the credentials to the attackers website.\n\nThe 'forgot your password?' feature allows a remote user to load a\ncertain URL to cause the service to send a validation e-mail to the\nspecified user's e-mail address. There is no limit to the number of\nmessages sent over a period of time, so a remote user can flood the\ntarget user's secondary e-mail address. E-Mail Flood, E-Mail bomber.\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://marc.info/?l=bugtraq&m=112259845904350\"\n );\n # http://www.freebsd.org/ports/portaudit/d7cd5015-08c9-11da-bc08-0001020eed82.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?989c3706\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:gforge\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"gforge>0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-04-12T15:39:11", "description": "The remote host is running GForge, an open source software development collaborative toolset using PHP and PostgreSQL.\n\nThe installed version of GForge on the remote host fails to properly sanitize user-supplied input to several parameters / scripts before using it in dynamically-generated pages. An attacker can exploit these flaws to launch cross-site scripting attacks against the affected application.", "cvss3": {"score": null, "vector": null}, "published": "2005-07-29T00:00:00", "type": "nessus", "title": "GForge <= 4.5 Multiple Script XSS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-2430"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:gforge:gforge"], "id": "GFORGE_45.NASL", "href": "https://www.tenable.com/plugins/nessus/19314", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(19314);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2005-2430\");\n script_bugtraq_id(14405);\n\n script_name(english:\"GForge <= 4.5 Multiple Script XSS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is affected by\nmultiple cross-site scripting vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running GForge, an open source software development\ncollaborative toolset using PHP and PostgreSQL.\n\nThe installed version of GForge on the remote host fails to properly\nsanitize user-supplied input to several parameters / scripts before\nusing it in dynamically-generated pages. An attacker can exploit\nthese flaws to launch cross-site scripting attacks against the\naffected application.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/406723/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gforge:gforge\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"gforge_detect.nasl\", \"cross_site_scripting.nasl\");\n script_require_keys(\"www/gforge\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0, \"The web server on port \"+port+\" does not support PHP\");\nif (get_kb_item(\"www/\"+port+\"/generic_xss\")) exit(0, \"The web server on port \"+port+\" is prone to XSS\");\n\n\n# A simple alert.\nxss = '<script>alert(\"' + SCRIPT_NAME + '\");</script>';\n\ninstall = get_install_from_kb(appname:'gforge', port:port);\nif (isnull(install)) exit(0, \"The 'www/\"+port+\"/gforge' KB item is missing.\");\n\ndir = install['dir'];\n\n# Try to exploit one of the flaws.\nw = http_send_recv3(method:\"GET\",\n item:string(\n dir, \"/forum/forum.php?\",\n \"forum_id=\", urlencode(str:string('\">', xss))\n ),\n port:port\n );\n if (isnull(w)) exit(1, \"the web server on port \"+port+\" failed to respond\");\n res = w[2];\n\n # There's a problem if we see our XSS as part of a PostgreSQL error.\n if (string('pg_atoi: error in \"\">', xss) >< res) {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n exit(0);\n }\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T13:14:55", "description": "Joxean Koret discovered several cross-site scripting vulnerabilities in Gforge, an online collaboration suite for software development, which allow injection of web script code.", "cvss3": {"score": null, "vector": null}, "published": "2006-10-14T00:00:00", "type": "nessus", "title": "Debian DSA-1094-1 : gforge - missing input sanitising", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-2430"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:gforge", "cpe:/o:debian:debian_linux:3.1"], "id": "DEBIAN_DSA-1094.NASL", "href": "https://www.tenable.com/plugins/nessus/22636", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1094. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22636);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2005-2430\");\n script_xref(name:\"DSA\", value:\"1094\");\n\n script_name(english:\"Debian DSA-1094-1 : gforge - missing input sanitising\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Joxean Koret discovered several cross-site scripting vulnerabilities\nin Gforge, an online collaboration suite for software development,\nwhich allow injection of web script code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328224\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1094\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gforge package.\n\nThe old stable distribution (woody) does not contain gforge packages.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 3.1-31sarge1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gforge\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/07/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"gforge\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-common\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-cvs\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-db-postgresql\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-dns-bind9\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-ftp-proftpd\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-ldap-openldap\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-lists-mailman\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-mta-exim\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-mta-exim4\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-mta-postfix\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-shell-ldap\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-sourceforge-transition\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"gforge-web-apache\", reference:\"3.1-31sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"sourceforge\", reference:\"3.1-31sarge1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2017-07-02T21:10:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2430", "CVE-2005-2431"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-20T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:55024", "href": "http://plugins.openvas.org/nasl.php?oid=55024", "type": "openvas", "title": "FreeBSD Ports: gforge", "sourceData": "#\n#VID d7cd5015-08c9-11da-bc08-0001020eed82\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: gforge\n\nCVE-2005-2430\nMultiple cross-site scripting (XSS) vulnerabilities in GForge 4.5\nallow remote attackers to inject arbitrary web script or HTML via the\n(1) forum_id or (2) group_id parameter to forum.php, (3)\nproject_task_id parameter to task.php, (4) id parameter to detail.php,\n(5) the text field on the search page, (6) group_id parameter to\nqrs.php, (7) form, (8) rows, (9) cols or (10) wrap parameter to\nnotepad.php, or the login field on the login form.\n\nCVE-2005-2431\nThe (1) lost password and (2) account pending features in GForge 4.5\ndo not properly set a limit on the number of e-mails sent to an e-mail\naddress, which allows remote attackers to send a large number of\nmessages to arbitrary e-mail addresses (aka mail bomb).\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350\nhttp://www.vuxml.org/freebsd/d7cd5015-08c9-11da-bc08-0001020eed82.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(55024);\n script_version(\"$Revision: 4118 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-20 07:32:38 +0200 (Tue, 20 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2005-2430\", \"CVE-2005-2431\");\n script_bugtraq_id(14405);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"FreeBSD Ports: gforge\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"gforge\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0\")>0) {\n txt += 'Package gforge version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2430"], "description": "The remote host is missing an update to gforge\nannounced via advisory DSA 1094-1.\n\nJoxean Koret discovered several cross-site scripting vulnerabilities in\nGforge, an online collaboration suite for software development, which\nallow injection of web script code.\n\nThe old stable distribution (woody) does not contain gforge packages.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:56925", "href": "http://plugins.openvas.org/nasl.php?oid=56925", "type": "openvas", "title": "Debian Security Advisory DSA 1094-1 (gforge)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1094_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1094-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 3.1-31sarge1.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 3.1-31sarge1.\n\nWe recommend that you upgrade your gforge package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201094-1\";\ntag_summary = \"The remote host is missing an update to gforge\nannounced via advisory DSA 1094-1.\n\nJoxean Koret discovered several cross-site scripting vulnerabilities in\nGforge, an online collaboration suite for software development, which\nallow injection of web script code.\n\nThe old stable distribution (woody) does not contain gforge packages.\";\n\n\nif(description)\n{\n script_id(56925);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:09:45 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-2430\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 1094-1 (gforge)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"gforge-common\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-cvs\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-db-postgresql\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-dns-bind9\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-ftp-proftpd\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-ldap-openldap\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-lists-mailman\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-mta-exim4\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-mta-exim\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-mta-postfix\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-shell-ldap\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-sourceforge-transition\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge-web-apache\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gforge\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"sourceforge\", ver:\"3.1-31sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cve": [{"lastseen": "2022-03-23T12:15:18", "description": "The (1) lost password and (2) account pending features in GForge 4.5 do not properly set a limit on the number of e-mails sent to an e-mail address, which allows remote attackers to send a large number of messages to arbitrary e-mail addresses (aka mail bomb).", "cvss3": {}, "published": "2005-08-03T04:00:00", "type": "cve", "title": "CVE-2005-2431", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2431"], "modified": "2016-10-18T03:27:00", "cpe": ["cpe:/a:gforge:gforge:4.5"], "id": "CVE-2005-2431", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2431", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:gforge:gforge:4.5:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:15:17", "description": "Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) forum_id or (2) group_id parameter to forum.php, (3) project_task_id parameter to task.php, (4) id parameter to detail.php, (5) the text field on the search page, (6) group_id parameter to qrs.php, (7) form, (8) rows, (9) cols or (10) wrap parameter to notepad.php, or the login field on the login form.", "cvss3": {}, "published": "2005-08-03T04:00:00", "type": "cve", "title": "CVE-2005-2430", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2430"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:gforge:gforge:4.5"], "id": "CVE-2005-2430", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2430", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:gforge:gforge:4.5:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2021-11-22T22:04:10", "description": "The (1) lost password and (2) account pending features in GForge 4.5 do not\nproperly set a limit on the number of e-mails sent to an e-mail address,\nwhich allows remote attackers to send a large number of messages to\narbitrary e-mail addresses (aka mail bomb).", "cvss3": {}, "published": "2005-08-03T00:00:00", "type": "ubuntucve", "title": "CVE-2005-2431", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2431"], "modified": "2005-08-03T00:00:00", "id": "UB:CVE-2005-2431", "href": "https://ubuntu.com/security/CVE-2005-2431", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-11-22T22:04:10", "description": "Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5 allow\nremote attackers to inject arbitrary web script or HTML via the (1)\nforum_id or (2) group_id parameter to forum.php, (3) project_task_id\nparameter to task.php, (4) id parameter to detail.php, (5) the text field\non the search page, (6) group_id parameter to qrs.php, (7) form, (8) rows,\n(9) cols or (10) wrap parameter to notepad.php, or the login field on the\nlogin form.", "cvss3": {}, "published": "2005-08-03T00:00:00", "type": "ubuntucve", "title": "CVE-2005-2430", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2430"], "modified": "2005-08-03T00:00:00", "id": "UB:CVE-2005-2430", "href": "https://ubuntu.com/security/CVE-2005-2430", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2022-01-04T13:33:05", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1094-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJune 8th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : gforge\nVulnerability : missing input sanitising\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CVE-2005-2430\nDebian Bug : 328224\n\nJoxean Koret discovered several cross-site scripting vulnerabilities in\nGforge, an online collaboration suite for software development, which\nallow injection of web script code.\n\nThe old stable distribution (woody) does not contain gforge packages.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 3.1-31sarge1.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 3.1-31sarge1.\n\nWe recommend that you upgrade your gforge package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge1.dsc\n Size/MD5 checksum: 868 0452baf77a8669801e5c218405eb4c9e\n http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge1.diff.gz\n Size/MD5 checksum: 288414 97f88bfe5581a40469e05ed66fc54568\n http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz\n Size/MD5 checksum: 1409879 c723b3a9efc016fd5449c4765d5de29c\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge1_all.deb\n Size/MD5 checksum: 92806 ede5618a181e461a406de2dc50b6170a\n http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge1_all.deb\n Size/MD5 checksum: 98282 927bada7cf4d87f0963b6a0d4dbfb683\n http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge1_all.deb\n Size/MD5 checksum: 146398 ae5600b12938d8bc47c947c48d408752\n http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge1_all.deb\n Size/MD5 checksum: 72456 7408e95a4db4353731eacd8bf274e8bc\n http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge1_all.deb\n Size/MD5 checksum: 59784 6e357bc18e5265c2f3ac302859a00892\n http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge1_all.deb\n Size/MD5 checksum: 70378 973ded7bd24d7aaa1dfd9cdc0d931ad5\n http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge1_all.deb\n Size/MD5 checksum: 58032 1a6a3a1970ebc40751620f7eb9496143\n http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge1_all.deb\n Size/MD5 checksum: 64966 a9e7b482891a637d92eb73e44f5b9550\n http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge1_all.deb\n Size/MD5 checksum: 64490 408e9f6f06dbfbcb766285a8dfc42d6c\n http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge1_all.deb\n Size/MD5 checksum: 64580 16a2613639daa916d669cc376085e78a\n http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge1_all.deb\n Size/MD5 checksum: 60932 5f9bd90fa83c17088fe250c5cd82b251\n http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge1_all.deb\n Size/MD5 checksum: 59046 1614549a1d31c8f6054858c94043efa6\n http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge1_all.deb\n Size/MD5 checksum: 1104456 7a7901b7a5561c81fa46791cbab68cb3\n http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge1_all.deb\n Size/MD5 checksum: 56332 318db8262b47625a9b356ff366743035\n http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge1_all.deb\n Size/MD5 checksum: 55784 7797f135a0456ee0366afe249ffdd4ce\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>", "cvss3": {}, "published": "2006-06-08T20:20:18", "type": "debian", "title": "[SECURITY] [DSA 1094-1] New gforge packages fix cross-site scripting", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2430"], "modified": "2006-06-08T20:20:18", "id": "DEBIAN:DSA-1094-1:4A94D", "href": "https://lists.debian.org/debian-security-announce/2006/msg00180.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
gforge -- XSS and email flood vulnerabilities
