← back
CVE-2011-4275

CVE-2011-4275

EPSS 1.6%
Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php.
Affected products
n/a · n/a
public PoCs found6
exploitdbwww.exploit-db.com/exploits/29210unverifiedexploitdbwww.exploit-db.com/exploits/24529unverifiedexploitdbwww.exploit-db.com/exploits/24969unverifiedexploitdbwww.exploit-db.com/exploits/24492unverifiedexploitdbwww.exploit-db.com/exploits/10532unverifiedexploitdbwww.exploit-db.com/exploits/29091unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://www.securityfocus.com/archive/1/520632http://www.securityfocus.com/archive/1/520632/100/0/threadedhttp://www.tele-consulting.com/advisories/TC-SA-2011-02.txt