DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability

2009-03-09T00:00:00
ID SECURITYVULNS:DOC:21450
Type securityvulns
Reporter Securityvulns
Modified 2009-03-09T00:00:00

Description

Title

DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability

Severity

Low

Date Discovered

January 19th, 2009

Discovered By

Digital Defense, Inc. Vulnerability Research Team Credit: David Marshall and r@b13$

Vulnerability Description

Alterations of the title and message parameters in vBook allow attacks to specify arbitrary web or scripting content. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.

Solution Description

No patch is available at this time.

Tested Systems / Software (with versions)

Windows Server 2003, IIS vBook v 4.2.17

Vendor Contact

Vendor Name: Retrieve Technologies, Inc. Vendor Website: http://www.retrieve.com/index.html