CVE-2005-2044

EPSS 2.9%

Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) subject parameter to contact.php, (3) cid parameter to content.php, (4) l parameter to inbox/send_message.php, the (5) search, (6) words, (7) include, (8) find_in, (9) display_as, or (10) search parameter to search.php, the (11) submit, (12) query, or (13) field parameter to tile.php, the (14) us parameter to forum/subscribe_forum.php, or the (15) roles[], (16) status, (17) submit, or (18) reset_filter parameters to directory.php.

Affected products

n/a · n/a

public PoCs found — 9

exploitdbwww.exploit-db.com/exploits/25831unverified exploitdbwww.exploit-db.com/exploits/25826unverified exploitdbwww.exploit-db.com/exploits/25827unverified exploitdbwww.exploit-db.com/exploits/25828unverified exploitdbwww.exploit-db.com/exploits/25834unverified exploitdbwww.exploit-db.com/exploits/25830unverified exploitdbwww.exploit-db.com/exploits/25829unverified exploitdbwww.exploit-db.com/exploits/25833unverified exploitdbwww.exploit-db.com/exploits/25832unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://lostmon.blogspot.com/2005/06/atutor-multiple-variable-cross-site.html http://securitytracker.com/id?1014216 http://www.osvdb.org/17351 http://www.osvdb.org/17352 http://www.osvdb.org/17353 http://www.osvdb.org/17354 http://www.osvdb.org/17355 http://www.osvdb.org/17356 http://www.osvdb.org/17357 http://www.osvdb.org/17358 http://www.osvdb.org/17359 http://www.securityfocus.com/bid/13972