NVD Vulnerability Detail

CVE-2013-1466

Summary	Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url, or (9) zipcode parameter to calendar/index.php; (10) title or (11) url parameter to links/index.php; or (12) PATH_INFO to admin/plugins/mediagallery/xppubwiz.php/.
Publication Date	Feb. 6, 2014, 12:10 a.m.
Registration Date	Jan. 26, 2021, 3:36 p.m.
Last Update	Nov. 21, 2024, 10:49 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:glfusion:glfusion:1.2.0.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.2:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl7:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6.pl4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl6:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.3:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.7:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.5.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.0:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4.pl4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.2.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.2.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.1:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl5:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.0:rc2::::::
cpe:2.3:a:glfusion:glfusion:1.1.8.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl5:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.5.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.1:::::::*
cpe:2.3:a:glfusion:glfusion::::::::		1.2.2.pl3
cpe:2.3:a:glfusion:glfusion:1.2.2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.0:rc1::::::
cpe:2.3:a:glfusion:glfusion:1.1.0:rc1::::::
cpe:2.3:a:glfusion:glfusion:1.1.5.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.0:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl6:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://archives.neohapsis.com/archives/bugtraq/2013-02/0093.html
2	http://archives.neohapsis.com/archives/bugtraq/2013-02/0093.html
3	http://packetstormsecurity.com/files/120423/glFusion-1.2.2-Cross-Site-Scripting.html
4	http://packetstormsecurity.com/files/120423/glFusion-1.2.2-Cross-Site-Scripting.html
5	http://secunia.com/advisories/52255	Vendor Advisory
6	http://secunia.com/advisories/52255	Vendor Advisory
7	http://www.exploit-db.com/exploits/24536
8	http://www.exploit-db.com/exploits/24536
9	http://www.glfusion.org/article.php/glf122_update_20130130_01	Patch Vendor Advisory
10	http://www.glfusion.org/article.php/glf122_update_20130130_01	Patch Vendor Advisory
11	https://exchange.xforce.ibmcloud.com/vulnerabilities/82211
12	https://exchange.xforce.ibmcloud.com/vulnerabilities/82211
13	https://www.htbridge.com/advisory/HTB23142
14	https://www.htbridge.com/advisory/HTB23142

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

glFusion におけるクロスサイトスクリプティングの脆弱性

Title	glFusion におけるクロスサイトスクリプティングの脆弱性
Summary	glFusion には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、下記の項目を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (1) profiles.php の subject パラメータ (2) calendar/index.php の address1 パラメータ (3) calendar/index.php の address2 パラメータ (4) calendar/index.php の calendar_type パラメータ (5) calendar/index.php の city パラメータ (6) calendar/index.php の state パラメータ (7) calendar/index.php の title パラメータ (8) calendar/index.php の url パラメータ (9) calendar/index.php の zipcode パラメータ (10) links/index.php の title パラメータ (11) links/index.php の url パラメータ (12) admin/plugins/mediagallery/xppubwiz.php/ の PATH_INFO
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 30, 2013, midnight
Registration Date	Feb. 6, 2014, 4:39 p.m.
Last Update	Feb. 6, 2014, 4:39 p.m.

Affected System

glFusion

glFusion 1.2.2.pl4 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1466	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1466
National Vulnerability Database (NVD)
2	CVE-2013-1466	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1466

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
glFusion
1	glFusion v1.2.2 Patch Level #4 Security Updates	http://www.glfusion.org/article.php/glf122_update_20130130_01

Change Log

No	Changed Details	Date of change
0	[2014年02月06日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:glfusion:glfusion:1.2.0.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.2:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl7:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6.pl4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl6:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.3:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.7:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.5.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.0:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4.pl4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.2.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.2.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.1:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl5:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.0:rc2::::::
cpe:2.3:a:glfusion:glfusion:1.1.8.pl2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.8.pl5:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.5.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl4:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.1:::::::*
cpe:2.3:a:glfusion:glfusion::::::::		1.2.2.pl3
cpe:2.3:a:glfusion:glfusion:1.2.2:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.4.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.6.pl3:::::::*
cpe:2.3:a:glfusion:glfusion:1.0.0:rc1::::::
cpe:2.3:a:glfusion:glfusion:1.1.0:rc1::::::
cpe:2.3:a:glfusion:glfusion:1.1.5.pl1:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.0:::::::*
cpe:2.3:a:glfusion:glfusion:1.2.0.pl6:::::::*
cpe:2.3:a:glfusion:glfusion:1.1.5:::::::*