AOH :: HP Unsorted V :: VA2824.HTM

vBook Login Application Cross-site Scripting Vulnerability



DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability
DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability



Title
-----
DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability

Severity
--------
Low

Date Discovered
---------------
January 19th, 2009

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$

Vulnerability Description
-------------------------
Alterations of the title and message parameters in vBook allow attacks to specify arbitrary web or scripting content. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.

Solution Description
--------------------
No patch is available at this time.

Tested Systems / Software (with versions)
------------------------------------------
Windows Server 2003, IIS vBook v 4.2.17

Vendor Contact
--------------
Vendor Name: Retrieve Technologies, Inc.
Vendor Website: http://www.retrieve.com/index.html 


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.