CVE-2013-1463

Current Description

Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url, or (9) zipcode parameter to calendar/index.php; (10) title or (11) url parameter to links/index.php; or (12) PATH_INFO to admin/plugins/mediagallery/xppubwiz.php/.

Referenced by CVEs:CVE-2013-1455, CVE-2013-1804

Basic Data

PublishedFebruary 05, 2014
Last ModifiedAugust 29, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-79
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationGlfusionGlfusion1.0.0*******
    2.3ApplicationGlfusionGlfusion1.0.0rc1******
    2.3ApplicationGlfusionGlfusion1.0.0rc2******
    2.3ApplicationGlfusionGlfusion1.0.1*******
    2.3ApplicationGlfusionGlfusion1.0.2*******
    2.3ApplicationGlfusionGlfusion1.1.0*******
    2.3ApplicationGlfusionGlfusion1.1.0rc1******
    2.3ApplicationGlfusionGlfusion1.1.1*******
    2.3ApplicationGlfusionGlfusion1.1.2*******
    2.3ApplicationGlfusionGlfusion1.1.3*******
    2.3ApplicationGlfusionGlfusion1.1.4*******
    2.3ApplicationGlfusionGlfusion1.1.4.pl1*******
    2.3ApplicationGlfusionGlfusion1.1.4.pl2*******
    2.3ApplicationGlfusionGlfusion1.1.4.pl3*******
    2.3ApplicationGlfusionGlfusion1.1.4.pl4*******
    2.3ApplicationGlfusionGlfusion1.1.5*******
    2.3ApplicationGlfusionGlfusion1.1.5.pl1*******
    2.3ApplicationGlfusionGlfusion1.1.5.pl2*******
    2.3ApplicationGlfusionGlfusion1.1.5.pl3*******
    2.3ApplicationGlfusionGlfusion1.1.6*******
    2.3ApplicationGlfusionGlfusion1.1.6.pl1*******
    2.3ApplicationGlfusionGlfusion1.1.6.pl2*******
    2.3ApplicationGlfusionGlfusion1.1.6.pl3*******
    2.3ApplicationGlfusionGlfusion1.1.6.pl4*******
    2.3ApplicationGlfusionGlfusion1.1.7*******
    2.3ApplicationGlfusionGlfusion1.1.8*******
    2.3ApplicationGlfusionGlfusion1.1.8.pl1*******
    2.3ApplicationGlfusionGlfusion1.1.8.pl2*******
    2.3ApplicationGlfusionGlfusion1.1.8.pl3*******
    2.3ApplicationGlfusionGlfusion1.1.8.pl4*******
    2.3ApplicationGlfusionGlfusion1.1.8.pl5*******
    2.3ApplicationGlfusionGlfusion1.1.8.pl6*******
    2.3ApplicationGlfusionGlfusion1.2.0*******
    2.3ApplicationGlfusionGlfusion1.2.0.pl1*******
    2.3ApplicationGlfusionGlfusion1.2.0.pl2*******
    2.3ApplicationGlfusionGlfusion1.2.0.pl3*******
    2.3ApplicationGlfusionGlfusion1.2.0.pl4*******
    2.3ApplicationGlfusionGlfusion1.2.0.pl5*******
    2.3ApplicationGlfusionGlfusion1.2.0.pl6*******
    2.3ApplicationGlfusionGlfusion1.2.0.pl7*******
    2.3ApplicationGlfusionGlfusion1.2.2*******
    2.3ApplicationGlfusionGlfusion1.2.2.pl1*******
    2.3ApplicationGlfusionGlfusion1.2.2.pl2*******
    2.3ApplicationGlfusionGlfusion********1.2.2.pl3

Vulnerable Software List

VendorProductVersions
Glfusion Glfusion *, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.4.pl1, 1.1.4.pl2, 1.1.4.pl3, 1.1.4.pl4, 1.1.5, 1.1.5.pl1, 1.1.5.pl2, 1.1.5.pl3, 1.1.6, 1.1.6.pl1, 1.1.6.pl2, 1.1.6.pl3, 1.1.6.pl4, 1.1.7, 1.1.8, 1.1.8.pl1, 1.1.8.pl2, 1.1.8.pl3, 1.1.8.pl4, 1.1.8.pl5, 1.1.8.pl6, 1.2.0, 1.2.0.pl1, 1.2.0.pl2, 1.2.0.pl3, 1.2.0.pl4, 1.2.0.pl5, 1.2.0.pl6, 1.2.0.pl7, 1.2.2, 1.2.2.pl1, 1.2.2.pl2

References

NameSourceURLTags
20130220 Multiple Cross-Site Scripting (XSS) in glFusionhttp://archives.neohapsis.com/archives/bugtraq/2013-02/0093.htmlBUGTRAQ
http://packetstormsecurity.com/files/120423/glFusion-1.2.2-Cross-Site-Scripting.htmlhttp://packetstormsecurity.com/files/120423/glFusion-1.2.2-Cross-Site-Scripting.htmlMISC
52255http://secunia.com/advisories/52255SECUNIAVendor Advisory
24536http://www.exploit-db.com/exploits/24536EXPLOIT-DB
http://www.glfusion.org/article.php/glf122_update_20130130_01http://www.glfusion.org/article.php/glf122_update_20130130_01CONFIRMPatch Vendor Advisory
glfusion-multiple-xss(82211)https://exchange.xforce.ibmcloud.com/vulnerabilities/82211XF
https://www.htbridge.com/advisory/HTB23142https://www.htbridge.com/advisory/HTB23142MISC