{"bulletinFamily": "software", "viewCount": 80, "reporter": "Luny(luny@youfucktard.com)", "references": [], "description": "## Vulnerability Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'id' variable upon submission to the delete-announce.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'id' variable upon submission to the delete-announce.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[target]/delete-announce.php?id=[XSS]\n## References:\n[Secunia Advisory ID:23625](https://secuniaresearch.flexerasoftware.com/advisories/23625/)\n[Related OSVDB ID: 32650](https://vulners.com/osvdb/OSVDB:32650)\n[Related OSVDB ID: 32647](https://vulners.com/osvdb/OSVDB:32647)\n[Related OSVDB ID: 32648](https://vulners.com/osvdb/OSVDB:32648)\n[Related OSVDB ID: 32649](https://vulners.com/osvdb/OSVDB:32649)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0172.html\nISS X-Force ID: 31319\nFrSIRT Advisory: ADV-2007-0081\n[CVE-2007-0146](https://vulners.com/cve/CVE-2007-0146)\n", "affectedSoftware": [{"operator": "eq", "version": "1.0", "name": "Fix & Chips CMS"}], "href": "https://vulners.com/osvdb/OSVDB:32646", "modified": "2007-01-06T11:03:48", "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2017-04-28T13:20:29", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0146"]}, {"type": "osvdb", "idList": ["OSVDB:32648", "OSVDB:32647", "OSVDB:32650", "OSVDB:32649"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7013"]}], "modified": "2017-04-28T13:20:29", "rev": 2}, "vulnersScore": 5.2}, "id": "OSVDB:32646", "title": "Fix And Chips CMS System delete-announce.php id Variable XSS", "edition": 1, "published": "2007-01-06T11:03:48", "type": "osvdb", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvelist": ["CVE-2007-0146"], "lastseen": "2017-04-28T13:20:29"}

{"cve": [{"lastseen": "2020-10-03T11:45:48", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) delete-announce.php; the (2) Announcement form field in (b) staff.php; the (3) Client Name, (4) Business Name, (5) Street, (6) Address 2, (7) Town/City, (8) Postcode, (9) Phone Number, (10) Email Address and (11) Website Address form fields in (c) new_customer.php; and unspecified fields in (d) search.php and (e) client-results.php.", "edition": 3, "cvss3": {}, "published": "2007-01-09T18:28:00", "title": "CVE-2007-0146", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0146"], "modified": "2018-10-16T16:31:00", "cpe": ["cpe:/a:fix_and_chips_computer_services:fix_and_chips_cms:1.0"], "id": "CVE-2007-0146", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0146", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:fix_and_chips_computer_services:fix_and_chips_cms:1.0:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "cvelist": ["CVE-2007-0146"], "description": "## Vulnerability Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Announcement' variable upon submission to the staff.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Announcement' variable upon submission to the staff.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\n[Secunia Advisory ID:23625](https://secuniaresearch.flexerasoftware.com/advisories/23625/)\n[Related OSVDB ID: 32650](https://vulners.com/osvdb/OSVDB:32650)\n[Related OSVDB ID: 32648](https://vulners.com/osvdb/OSVDB:32648)\n[Related OSVDB ID: 32649](https://vulners.com/osvdb/OSVDB:32649)\n[Related OSVDB ID: 32646](https://vulners.com/osvdb/OSVDB:32646)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0172.html\nISS X-Force ID: 31319\nFrSIRT Advisory: ADV-2007-0081\n[CVE-2007-0146](https://vulners.com/cve/CVE-2007-0146)\n", "edition": 1, "modified": "2007-01-06T11:03:48", "published": "2007-01-06T11:03:48", "href": "https://vulners.com/osvdb/OSVDB:32647", "id": "OSVDB:32647", "title": "Fix And Chips CMS System staff.php Announcement Field XSS", "type": "osvdb", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "cvelist": ["CVE-2007-0146"], "description": "## Vulnerability Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input when listing results upon submission to the client-result.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input when listing results upon submission to the client-result.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\n[Secunia Advisory ID:23625](https://secuniaresearch.flexerasoftware.com/advisories/23625/)\n[Related OSVDB ID: 32647](https://vulners.com/osvdb/OSVDB:32647)\n[Related OSVDB ID: 32648](https://vulners.com/osvdb/OSVDB:32648)\n[Related OSVDB ID: 32649](https://vulners.com/osvdb/OSVDB:32649)\n[Related OSVDB ID: 32646](https://vulners.com/osvdb/OSVDB:32646)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0172.html\nISS X-Force ID: 31319\nFrSIRT Advisory: ADV-2007-0081\n[CVE-2007-0146](https://vulners.com/cve/CVE-2007-0146)\n", "edition": 1, "modified": "2007-01-06T11:03:48", "published": "2007-01-06T11:03:48", "href": "https://vulners.com/osvdb/OSVDB:32650", "id": "OSVDB:32650", "title": "Fix And Chips CMS System client-results.php XSS", "type": "osvdb", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "cvelist": ["CVE-2007-0146"], "description": "## Vulnerability Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate any variables upon submission to the new_customer.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate any variables upon submission to the new_customer.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\n[Secunia Advisory ID:23625](https://secuniaresearch.flexerasoftware.com/advisories/23625/)\n[Related OSVDB ID: 32650](https://vulners.com/osvdb/OSVDB:32650)\n[Related OSVDB ID: 32647](https://vulners.com/osvdb/OSVDB:32647)\n[Related OSVDB ID: 32649](https://vulners.com/osvdb/OSVDB:32649)\n[Related OSVDB ID: 32646](https://vulners.com/osvdb/OSVDB:32646)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0172.html\nISS X-Force ID: 31319\nFrSIRT Advisory: ADV-2007-0081\n[CVE-2007-0146](https://vulners.com/cve/CVE-2007-0146)\n", "edition": 1, "modified": "2007-01-06T11:03:48", "published": "2007-01-06T11:03:48", "href": "https://vulners.com/osvdb/OSVDB:32648", "id": "OSVDB:32648", "title": "Fix And Chips CMS System new_customer.php Multiple Field XSS", "type": "osvdb", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "cvelist": ["CVE-2007-0146"], "description": "## Vulnerability Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input when listing results upon submission to the search.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFix And Chips CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input when listing results upon submission to the search.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\n[Secunia Advisory ID:23625](https://secuniaresearch.flexerasoftware.com/advisories/23625/)\n[Related OSVDB ID: 32650](https://vulners.com/osvdb/OSVDB:32650)\n[Related OSVDB ID: 32647](https://vulners.com/osvdb/OSVDB:32647)\n[Related OSVDB ID: 32648](https://vulners.com/osvdb/OSVDB:32648)\n[Related OSVDB ID: 32646](https://vulners.com/osvdb/OSVDB:32646)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0172.html\nISS X-Force ID: 31319\nFrSIRT Advisory: ADV-2007-0081\n[CVE-2007-0146](https://vulners.com/cve/CVE-2007-0146)\n", "edition": 1, "modified": "2007-01-06T11:03:48", "published": "2007-01-06T11:03:48", "href": "https://vulners.com/osvdb/OSVDB:32649", "id": "OSVDB:32649", "title": "Fix And Chips CMS System search.php XSS", "type": "osvdb", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-0142", "CVE-2007-0152", "CVE-2007-0146", "CVE-2007-0141"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2007-01-07T00:00:00", "published": "2007-01-07T00:00:00", "id": "SECURITYVULNS:VULN:7013", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7013", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}