ID OSVDB:24214 Type osvdb Reporter r0t(krustevs@googlemail.com) Modified 2006-03-25T17:26:48
Description
Vulnerability Description
Absolute Image Gallery XE contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \'shownew\' variable upon submission to the gallery.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user\\'s browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
Absolute Image Gallery XE contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \'shownew\' variable upon submission to the gallery.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user\\'s browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Vendor URL: http://www.xigla.com/absoluteig/index.htm
Other Advisory URL: http://pridels.blogspot.com/2006/03/absolute-image-gallery-xe-20-xss-vuln.html
ISS X-Force ID: 25466
FrSIRT Advisory: ADV-2006-1103
CVE-2006-1411
Bugtraq ID: 18712
{"type": "osvdb", "published": "2006-03-25T17:26:48", "href": "https://vulners.com/osvdb/OSVDB:24214", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "viewCount": 5, "edition": 1, "reporter": "r0t(krustevs@googlemail.com)", "title": "Absolute Image Gallery XE gallery.asp shownew Variable XSS", "affectedSoftware": [{"operator": "eq", "version": "2.0", "name": "Absolute Image Gallery XE"}], "enchantments": {"score": {"value": 4.6, "vector": "NONE", "modified": "2017-04-28T13:20:21", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-1411"]}], "modified": "2017-04-28T13:20:21", "rev": 2}, "vulnersScore": 4.6}, "references": [], "id": "OSVDB:24214", "lastseen": "2017-04-28T13:20:21", "cvelist": ["CVE-2006-1411"], "modified": "2006-03-25T17:26:48", "description": "## Vulnerability Description\nAbsolute Image Gallery XE contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \\'shownew\\' variable upon submission to the gallery.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user\\\\\\'s browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nAbsolute Image Gallery XE contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \\'shownew\\' variable upon submission to the gallery.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user\\\\\\'s browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\n/gallery.asp?action=viewimage&categoryid=8&text=&imageid=43&box=&shownew=[XSS]\n## References:\nVendor URL: http://www.xigla.com/absoluteig/index.htm\nOther Advisory URL: http://pridels.blogspot.com/2006/03/absolute-image-gallery-xe-20-xss-vuln.html\nISS X-Force ID: 25466\nFrSIRT Advisory: ADV-2006-1103\n[CVE-2006-1411](https://vulners.com/cve/CVE-2006-1411)\nBugtraq ID: 18712\n"}
