CVE-2004-2028
published 2004-05-21CVE-2004-2028: Cross-site scripting (XSS) vulnerability in stats.php in e107 allows remote attackers to inject arbitrary web script or HTML via the referer parameter to…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
3.51%
87.7th percentile
Cross-site scripting (XSS) vulnerability in stats.php in e107 allows remote attackers to inject arbitrary web script or HTML via the referer parameter to log.php.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
| e107 | e107 | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Comersus Cart 5.0 - HTTP Response Splitting
exploitdb·2004-09-01
CVE-2004-1656 Comersus Cart 5.0 - HTTP Response Splitting
Comersus Cart 5.0 - HTTP Response Splitting
---
source: https://www.securityfocus.com/bid/11083/info
Comersus Cart is reported prone to a HTTP response splitting vulnerability. A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached or interpreted. This could aid in various attacks, which try to entice client users into a false sense of trust.
This issue was identified in Comersus Shopping Cart 5.0991, however, other versions may be affected as well.
http://www.example.com/path_to_comersus/comersus_customerLoggedVerify.asp?
redirecturl=%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-L
ength:%2028%0d%0a%0d%0a{html}0wned%20by%20me{/html}
Exploit-DB
e107 Website System 0.5/0.6 - 'Log.php' HTML Injection
exploitdb·2004-05-21
CVE-2004-2028 e107 Website System 0.5/0.6 - 'Log.php' HTML Injection
e107 Website System 0.5/0.6 - 'Log.php' HTML Injection
---
source: https://www.securityfocus.com/bid/10395/info
It is reported that e107 website system is prone to a remote HTML injection vulnerability. This issue is due to a failure by the application to properly sanitize user-supplied input.
The problem presents itself when a user supplies malicious HTML or script code to the application using a URI parameter of the log.php script. The application stores the injected HTML code, which is then rendered in the browser of an unsuspecting user whenever the log page of the affected site is viewed.
http://www.example.com/e107_plugins/log/log.php?referer=codegoes&color=24&eself=http://www.example.com/stats.php&res=1341X1341
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=108515632622796&w=2http://secunia.com/advisories/11693http://www.osvdb.org/6345http://www.securityfocus.com/bid/10395https://exchange.xforce.ibmcloud.com/vulnerabilities/16231http://marc.info/?l=bugtraq&m=108515632622796&w=2http://secunia.com/advisories/11693http://www.osvdb.org/6345http://www.securityfocus.com/bid/10395https://exchange.xforce.ibmcloud.com/vulnerabilities/16231
2004-05-21
Published