CVE-2001-1199
published 2001-12-17CVE-2001-1199: Cross-site scripting vulnerability in agora.cgi for Agora 3.0a through 4.0g, when debug mode is enabled, allows remote attackers to execute Javascript on other…
PriorityP429high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.73%
94.5th percentile
Cross-site scripting vulnerability in agora.cgi for Agora 3.0a through 4.0g, when debug mode is enabled, allows remote attackers to execute Javascript on other clients via the cart_id parameter.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
| steve_kneizys | agora.cgi | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Agora.CGI 3.x/4.0 - Debug Mode Cross-Site Scripting
exploitdb·2001-12-17
CVE-2001-1199 Agora.CGI 3.x/4.0 - Debug Mode Cross-Site Scripting
Agora.CGI 3.x/4.0 - Debug Mode Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/3702/info
Agora.cgi is a freely available, open source shopping cart system.
When debug mode is enabled, the Agora.cgi script does not adequately filter HTML tags when debug information is being output. Debug mode is not enabled by default and must be explicitly turned on by an administrator.
As a result, it is possible for an attacker to construct a link to the script that includes maliciously constructed script code. When the link is clicked by a web user, the script code will be executed by the client in the context of the site running Agora.cgi.
This issue may be exploited to by an attacker to steal cookie-based authentication credentials, permitting the attacker to hijack an Agora.c
Exploit-DB
Mozilla Bugzilla 2.4/2.6/2.8/2.10 - Arbitrary Command Execution
exploitdb·2000-05-11
CVE-2001-0329 Mozilla Bugzilla 2.4/2.6/2.8/2.10 - Arbitrary Command Execution
Mozilla Bugzilla 2.4/2.6/2.8/2.10 - Arbitrary Command Execution
---
source: https://www.securityfocus.com/bid/1199/info
Bugzilla is a web-based bug-tracking system based on Perl and MySQL. It allows people to submit bugs and catalogs them.
Bugzilla is prone to a vulnerability which may allow remote users to execute arbitrary commands on the target webserver.
When accepting a bug report, the script "process_bug.cgi" calls "./processmail" via a perl system() call argumented by a number of paramaters with values originating from user input via a web-form. There are no checks against these values for shell metacharacters by the script before insertion into the system() call.
As a result, it possible for an attacker to supply maliciously crafted input to form fields, which when submitted
No writeups or analysis indexed.
http://www.agoracgi.com/security.htmlhttp://www.iss.net/security_center/static/7708.phphttp://www.osvdb.org/698http://www.securityfocus.com/archive/1/246044http://www.securityfocus.com/bid/3702http://www.agoracgi.com/security.htmlhttp://www.iss.net/security_center/static/7708.phphttp://www.osvdb.org/698http://www.securityfocus.com/archive/1/246044http://www.securityfocus.com/bid/3702
2001-12-17
Published