CVE-2006-3009

EPSS 2.5%

Multiple cross-site scripting (XSS) vulnerabilities in Open Business Management (OBM) 1.0.3 pl1 allow remote attackers to inject arbitrary HTML or web script via the (1) tf_lang, (2) tf_name, (3) tf_user, (4) tf_lastname, (5) tf_contact, (6) tf_datebefore, and (7) tf_dateafter parameters to files such as (a) publication/publication_index.php, (b) group/group_index.php, (c) user/user_index.php, (d) list/list_index.php, and (e) company/company_index.php.

Affected products

n/a · n/a

public PoCs found — 5

exploitdbwww.exploit-db.com/exploits/27998unverified exploitdbwww.exploit-db.com/exploits/27995unverified exploitdbwww.exploit-db.com/exploits/27997unverified exploitdbwww.exploit-db.com/exploits/27994unverified exploitdbwww.exploit-db.com/exploits/27996unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://pridels0.blogspot.com/2006/06/obm-multiple-sql-inj-and-xss-vuln.html http://secunia.com/advisories/20486 https://exchange.xforce.ibmcloud.com/vulnerabilities/27031 http://www.osvdb.org/26198 http://www.osvdb.org/26199 http://www.osvdb.org/26200 http://www.osvdb.org/26201 http://www.osvdb.org/26202 http://www.securityfocus.com/bid/18348