Cross site scripting

2008-07-2217:41:00

PRIOn knowledge base

www.prio-n.com

6 Medium

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.2%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in Claroline before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via (1) the cwd parameter in a rqMkHtml action to document/rqmkhtml.php, or the query string to (2) announcements/announcements.php, (3) calendar/agenda.php, (4) course/index.php, (5) course_description/index.php, (6) document/document.php, (7) exercise/exercise.php, (8) group/group_space.php, (9) phpbb/newtopic.php, (10) phpbb/reply.php, (11) phpbb/viewtopic.php, (12) wiki/wiki.php, or (13) work/work.php in claroline/.

CPENameOperatorVersion
clarolineeq1.8.1
clarolineeq1.7.5
clarolineeq1.8.2
clarolineeq1.8.4
clarolineeq1.7.4
clarolineeq1.5.4
clarolineeq1.2
clarolinele1.8.9
clarolineeq1.6.0-beta
clarolineeq1.8.7

Name	Operator	Version
claroline	eq	1.8.1
claroline	eq	1.7.5
claroline	eq	1.8.2
claroline	eq	1.8.4
claroline	eq	1.7.4
claroline	eq	1.5.4
claroline	eq	1.2
claroline	le	1.8.9
claroline	eq	1.6.0-beta
claroline	eq	1.8.7

Rows per page:

1-10 of 271

References

claroline.svn.sourceforge.net/viewrc/claroline/branches/1.8/claroline/?sortby=date

secunia.com/advisories/31116

securityreason.com/securityalert/4020

sourceforge.net/project/shownotes.php?release_id=613634

wiki.claroline.net/index.php/Changelog_1.8.x

www.securityfocus.com/archive/1/494539/100/0/threaded

www.securityfocus.com/bid/30269

exchange.xforce.ibmcloud.com/vulnerabilities/43854