DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability
January 19th, 2009
Digital Defense, Inc. Vulnerability Research Team Credit: David Marshall and r@b13$
Alterations of the title and message parameters in vBook allow attacks to specify arbitrary web or scripting content. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.
No patch is available at this time.
Windows Server 2003, IIS vBook v 4.2.17
Vendor Name: Retrieve Technologies, Inc. Vendor Website: http://www.retrieve.com/index.html