OSVDB ID: 23916

Title: VPMi Enterprise Service_Requests.asp Request_Name_Display Parameter XSS

Info

Disclosure

Mar 14, 2006

Discovery

Unknown

Dates

Exploit

Mar 14, 2006

Solution

Unknown

Description

VPMi Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Request_Name_Display' variable upon submission to the Service_Requests.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Virtual Communication Services L.L.C

VPMi Enterprise

3.3

References

Bugtraq ID: 17172
Secunia Advisory ID: 19297
CVE ID: 2006-1266 (see also: NVD)
Mail List Post: http://attrition.org/pipermail/vim/2006-March/000605.html
Vendor URL: http://www.vcsonline.com/VCS/VPMi/VCS_VPMi_Unlimited/VPMi_Unlimited.htm

Credit

Steven M. Christey - coleymitre.org - MITRE

Direct URL: http://osvdb.org/36218