CVE-2004-1939
published 2004-04-14CVE-2004-1939: Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows remote attackers to inject arbitrary web script or HTML via double encoded slashes (%252F)…
PriorityP417medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.74%
74.9th percentile
Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows remote attackers to inject arbitrary web script or HTML via double encoded slashes (%252F) in the key parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhinosoft | zaep_antispam | — | — |
| rhinosoft | zaep_antispam | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IPSwitch WhatsUp Small Business 2004 Report Service - Directory Traversal
exploitdb·2005-11-03
CVE-2005-1939 IPSwitch WhatsUp Small Business 2004 Report Service - Directory Traversal
IPSwitch WhatsUp Small Business 2004 Report Service - Directory Traversal
---
source: https://www.securityfocus.com/bid/15291/info
IPSwitch WhatsUp Small Business 2004 is prone to a directory traversal vulnerability. Successful exploitation could allow a remote attacker to gain access to files outside the Web root. Sensitive information may be obtained in this manner.
http://[address of server]:8022/../../../../../../../../../../../boot.ini
Exploit-DB
Rhino Software Zaep AntiSpam 2.0 - Cross-Site Scripting
exploitdb·2004-04-14
CVE-2004-1939 Rhino Software Zaep AntiSpam 2.0 - Cross-Site Scripting
Rhino Software Zaep AntiSpam 2.0 - Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10139/info
It has been reported that Zaep AntiSpam is prone to a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user supplied URI input.
This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
ttp://example.zaep/?key=alert(document.cookie)
No writeups or analysis indexed.
CWE
Double Decoding of the Same Data
mitre_cwe
CWE-174 Double Decoding of the Same Data
CWE-174: Double Decoding of the Same Data
The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Access Control, Confidentiality, Availability, Integrity, Other. Impact: Bypass Protection Mechanism, Execute Unauthorized Code or Commands, Varies by Context.
Potential Mitigations:
[Architecture and Design] Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not
CWE
Encoding Error
mitre_cwe
CWE-172 Encoding Error
CWE-172: Encoding Error
The product does not properly encode or decode the data, resulting in unexpected values.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Unexpected State.
Potential Mitigations:
[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an e
CWE
Multiple Operations on Resource in Single-Operation Context
mitre_cwe·CVSS 4.3
[MEDIUM] CWE-675 Multiple Operations on Resource in Single-Operation Context
CWE-675: Multiple Operations on Resource in Single-Operation Context
The product performs the same operation on a resource two or more times, when the operation should only be applied once.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Other. Impact: Other.
Examples:
The following code shows a simple example of a double free vulnerability.
Double free vulnerabilities have two common (and sometimes overlapping) causes:
Error conditions and other exceptional circumstances Confusion over which part of the program is responsible for freeing the memory
Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to f
http://marc.info/?l=bugtraq&m=108241507812681&w=2http://secunia.com/advisories/11388http://www.securiteam.com/windowsntfocus/5EP0I15CKK.htmlhttp://www.securityfocus.com/bid/10139https://exchange.xforce.ibmcloud.com/vulnerabilities/15858http://marc.info/?l=bugtraq&m=108241507812681&w=2http://secunia.com/advisories/11388http://www.securiteam.com/windowsntfocus/5EP0I15CKK.htmlhttp://www.securityfocus.com/bid/10139https://exchange.xforce.ibmcloud.com/vulnerabilities/15858
2004-04-14
Published