ID OSVDB:15254 Type osvdb Reporter Lostmon Lords(Lostmon@gmail.com) Modified 2005-03-14T01:17:05
Description
Vulnerability Description
Spymac WebOS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'threadid' or 'catid' variables upon submission to the newpoll.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
Spymac WebOS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'threadid' or 'catid' variables upon submission to the newpoll.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
{"edition": 1, "title": "Spymac WebOS newpoll.php Multiple Variable XSS", "bulletinFamily": "software", "published": "2005-03-14T01:17:05", "lastseen": "2017-04-28T13:20:11", "history": [], "modified": "2005-03-14T01:17:05", "reporter": "Lostmon Lords(Lostmon@gmail.com)", "hash": "80c75205170072a18edf52dd3edd2095807ffbb078bee96323e8c642e0901670", "viewCount": 1, "href": "https://vulners.com/osvdb/OSVDB:15254", "description": "## Vulnerability Description\nSpymac WebOS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'threadid' or 'catid' variables upon submission to the newpoll.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nSpymac WebOS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'threadid' or 'catid' variables upon submission to the newpoll.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[target]/forums/newpoll.php?catid=&threadid=[XSS-CODE]\nhttp://[target]/forums/newpoll.php?catid=&threadid=[XSS-code]\nhttp://[target]/forums/newpoll.php?catid=[XSS-code]&threadid=\n## References:\nVendor URL: http://www.spymac.com/network.php?p=webos&wwg=20\n[Related OSVDB ID: 15243](https://vulners.com/osvdb/OSVDB:15243)\n[Related OSVDB ID: 15246](https://vulners.com/osvdb/OSVDB:15246)\n[Related OSVDB ID: 15249](https://vulners.com/osvdb/OSVDB:15249)\n[Related OSVDB ID: 15253](https://vulners.com/osvdb/OSVDB:15253)\n[Related OSVDB ID: 15248](https://vulners.com/osvdb/OSVDB:15248)\n[Related OSVDB ID: 15252](https://vulners.com/osvdb/OSVDB:15252)\n[Related OSVDB ID: 15255](https://vulners.com/osvdb/OSVDB:15255)\n[Related OSVDB ID: 15247](https://vulners.com/osvdb/OSVDB:15247)\n[Related OSVDB ID: 15250](https://vulners.com/osvdb/OSVDB:15250)\n[Related OSVDB ID: 15251](https://vulners.com/osvdb/OSVDB:15251)\n[Related OSVDB ID: 15244](https://vulners.com/osvdb/OSVDB:15244)\n[Related OSVDB ID: 15245](https://vulners.com/osvdb/OSVDB:15245)\nOther Advisory URL: http://lostmon.blogspot.com/2005/03/spymac-web-os-30-multiple-variable-xss.html\n", "affectedSoftware": [{"name": "WebOS", "version": "3.0 beta 190", "operator": "eq"}], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "e4105f1cd31bd85c26aaaaacff5232a2"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "37443bbfcce6a7f2eb1b716b8a33e217"}, {"key": "href", "hash": "a2b48ba17fd8a67f252f16d689639aca"}, {"key": "modified", "hash": "6c194c4e40a0e054aaf3a58403e618d3"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6c194c4e40a0e054aaf3a58403e618d3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "2b3bb4c74230c6aa9a7bd90a8bd11717"}, {"key": "title", "hash": "6c348ca180874c16ad8bd3c821b314ec"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2017-04-28T13:20:11"}, "dependencies": {"references": [], "modified": "2017-04-28T13:20:11"}, "vulnersScore": -0.1}, "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "OSVDB:15254"}
