ID OSVDB:26991 Type osvdb Reporter luny(luny@youfucktard.com) Modified 2006-06-30T09:33:59
Description
Vulnerability Description
Buddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the delete_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution Description
Upgrade to version 1.0.1 (2006-07-15) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the July 15, 2006 release without a change in version number. An upgrade is required as there are no known workarounds.
Short Description
Buddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the delete_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
{"enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2017-04-28T13:20:23"}, "dependencies": {"references": [], "modified": "2017-04-28T13:20:23"}, "vulnersScore": -0.1}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Buddy Zone", "operator": "eq", "version": "1.0.1"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:26991", "id": "OSVDB:26991", "title": "Buddy Zone delete_event.php XSS", "history": [], "type": "osvdb", "cvss": {"score": 0.0, "vector": "NONE"}, "lastseen": "2017-04-28T13:20:23", "edition": 1, "hash": "8390d2e3c3859574da875d1f06b02ebd6fc5afb21257c206fb6176c0f8340822", "objectVersion": "1.2", "reporter": "luny(luny@youfucktard.com)", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the delete_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.1 (2006-07-15) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the July 15, 2006 release without a change in version number. An upgrade is required as there are no known workarounds.\n## Short Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the delete_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26990](https://vulners.com/osvdb/OSVDB:26990)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26988](https://vulners.com/osvdb/OSVDB:26988)\n[Related OSVDB ID: 26989](https://vulners.com/osvdb/OSVDB:26989)\n[Related OSVDB ID: 26993](https://vulners.com/osvdb/OSVDB:26993)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26992](https://vulners.com/osvdb/OSVDB:26992)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0245.html\nISS X-Force ID: 27512\nFrSIRT Advisory: ADV-2006-2645\nBugtraq ID: 18759\n", "modified": "2006-06-30T09:33:59", "viewCount": 0, "published": "2006-06-30T09:33:59", "cvelist": [], "hashmap": [{"key": "affectedSoftware", "hash": "2c45006ef0058b16213dcc98b36e5084"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "16f160e83cca8221e32b048e4c83cf4f"}, {"key": "href", "hash": "e35f94d6901a3d2b25f0019a89ba4989"}, {"key": "modified", "hash": "c55d57caa3f08e81e44aea0de0c01df0"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "c55d57caa3f08e81e44aea0de0c01df0"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "1ecbff27b0062287be6ddd5f3644abbb"}, {"key": "title", "hash": "a0ff9313bb550b8a6db3ca5a0040a942"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}]}
