CVE-2004-0358

Cross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro 1.0.3 allows remote attackers to execute arbitrary script as other users via (1) the mainnews parameter in admin.php, (2) the expand parameter in admin.php, (3) the id parameter in admin.php, (4) the catid parameter in admin.php, or (5) an unnamed parameter during the newslogo_upload action in admin.php.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2004-03/0069.html	Exploit
http://marc.info/?l=bugtraq&m=107851556116088&w=2
http://www.securityfocus.com/bid/9812	Exploit
http://www.securityfocus.com/bid/9819	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/15402

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:virtuasystems:virtuanews_pro:1.0:::::::*
	cpe:2.3:a:virtuasystems:virtuanews_pro:1.0.1:::::::*
	cpe:2.3:a:virtuasystems:virtuanews_pro:1.0.2:::::::*
	cpe:2.3:a:virtuasystems:virtuanews_pro:1.0.3:::::::*

History

No history.

Information

Published : 2004-11-23 05:00

Updated : 2017-07-11 01:30

NVD link : CVE-2004-0358

Mitre link : CVE-2004-0358

CVE.ORG link : CVE-2004-0358

JSON object : View

Products Affected

virtuasystems

virtuanews_pro

CWE

NVD-CWE-Other

{"id": "CVE-2004-0358", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2004-11-23T05:00:00.000", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2004-03/0069.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://marc.info/?l=bugtraq&m=107851556116088&w=2", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/9812", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/9819", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15402", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro 1.0.3 allows remote attackers to execute arbitrary script as other users via (1) the mainnews parameter in admin.php, (2) the expand parameter in admin.php, (3) the id parameter in admin.php, (4) the catid parameter in admin.php, or (5) an unnamed parameter during the newslogo_upload action in admin.php."}], "lastModified": "2017-07-11T01:30:05.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:virtuasystems:virtuanews_pro:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A71DCE88-F015-4F92-AE97-01B72B11AE49"}, {"criteria": "cpe:2.3:a:virtuasystems:virtuanews_pro:1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30DEDB56-8215-4B2D-B1EA-18FA1334A82B"}, {"criteria": "cpe:2.3:a:virtuasystems:virtuanews_pro:1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D3FF05F-4EC8-4E83-A047-E8A7B4374501"}, {"criteria": "cpe:2.3:a:virtuasystems:virtuanews_pro:1.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B39E1563-6F89-4B39-80C6-FA95A07EE886"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}