CVE-2004-2511
published 2004-12-31CVE-2004-2511: Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the…
PriorityP422medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.32%
91.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the year, (2) month, and (3) day parameters in calendar.php; (4) the cid and (5) url parameters in index.php; (6) the cid parameter in annoucement.php; (7) the cid parameter in news.php; (8) the cid parameter in contents.php; (9) the q parameter in search.php; and (10) the country parameter in register.php.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codeworx_technologies | dcp-portal | <= 5.3.2 | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
| codeworx_technologies | dcp-portal | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9jcq-wqvg-vp8r: Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2006-1120 [MEDIUM] GHSA-9jcq-wqvg-vp8r: Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6
Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6.1.1 and earlier, with register_globals enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) its_url parameter in the documents page and (2) url parameter in the send_write page of (a) index.php; (3) subject, and (4) images parameters to (b) calendar.php; (5) bid, (6) replying_msg, (7) subject, (8) body, and (9) mid parameters to (c) forums.php; (10) subject and (11) message parameters to (d) inbox.php; (12) subject_color and (13) email parameters to (e) lostpassword.php; and the (14) c_name, (15) content_inicial, and (16) cid parameters to (f) mycontents.php. NOTE: the calendar.php/day vector is already subsumed by CVE-2006-0220, and the calendar.php/month, calendar.php/year, and search.php/q
GHSA
GHSA-26fg-x3pj-c24v: Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5
ghsa_unreviewed·2022-04-29
CVE-2004-2511 [MEDIUM] GHSA-26fg-x3pj-c24v: Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5
Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the year, (2) month, and (3) day parameters in calendar.php; (4) the cid and (5) url parameters in index.php; (6) the cid parameter in annoucement.php; (7) the cid parameter in news.php; (8) the cid parameter in contents.php; (9) the q parameter in search.php; and (10) the country parameter in register.php.
No detection rules found.
Exploit-DB
DCP-Portal 3.7/4.x/5.x - 'news.php?cid' Cross-Site Scripting
exploitdb·2004-10-06
CVE-2004-2511 DCP-Portal 3.7/4.x/5.x - 'news.php?cid' Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'news.php?cid' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/11338/info
DCP-Portal is reported prone to multiple cross-site scripting vulnerabilities. It is reported that DCP-Portal does not sufficiently filter URI parameters supplied to several scripts.
Because of this deficiency, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of a legitimate user if the link is followed. The script code contained in the URI parameter will be executed in the context of the vulnerable website.
This may allow for theft of cookie-based authentication credentials and other attacks.
http://www.example.com/news.php?nid=34&cid=[XSS code here]
Exploit-DB
DCP-Portal 3.7/4.x/5.x - 'announcement.php?cid' Cross-Site Scripting
exploitdb·2004-10-06
CVE-2004-2511 DCP-Portal 3.7/4.x/5.x - 'announcement.php?cid' Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'announcement.php?cid' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/11338/info
DCP-Portal is reported prone to multiple cross-site scripting vulnerabilities. It is reported that DCP-Portal does not sufficiently filter URI parameters supplied to several scripts.
Because of this deficiency, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of a legitimate user if the link is followed. The script code contained in the URI parameter will be executed in the context of the vulnerable website.
This may allow for theft of cookie-based authentication credentials and other attacks.
http://www.example.com/annoucement.php?aid=8&cid=[XSS code here]
Exploit-DB
DCP-Portal 3.7/4.x/5.x - 'calendar.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2004-10-06
CVE-2004-2511 DCP-Portal 3.7/4.x/5.x - 'calendar.php' Multiple Cross-Site Scripting Vulnerabilities
DCP-Portal 3.7/4.x/5.x - 'calendar.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/11338/info
DCP-Portal is reported prone to multiple cross-site scripting vulnerabilities. It is reported that DCP-Portal does not sufficiently filter URI parameters supplied to several scripts.
Because of this deficiency, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of a legitimate user if the link is followed. The script code contained in the URI parameter will be executed in the context of the vulnerable website.
This may allow for theft of cookie-based authentication credentials and other attacks.
http://www.example.com/calendar.php?year=2004&month=[XSS code here]&day=01
ht
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2004-10/0042.htmlhttp://secunia.com/advisories/12751http://securitytracker.com/id?1006351http://www.osvdb.org/10585http://www.osvdb.org/10587http://www.osvdb.org/10588http://www.osvdb.org/10589http://www.osvdb.org/10590http://www.osvdb.org/11405http://www.securityfocus.com/bid/11338http://www.securityfocus.com/bid/11339https://exchange.xforce.ibmcloud.com/vulnerabilities/17638https://exchange.xforce.ibmcloud.com/vulnerabilities/17639http://archives.neohapsis.com/archives/bugtraq/2004-10/0042.htmlhttp://secunia.com/advisories/12751http://securitytracker.com/id?1006351http://www.osvdb.org/10585http://www.osvdb.org/10587http://www.osvdb.org/10588http://www.osvdb.org/10589http://www.osvdb.org/10590http://www.osvdb.org/11405http://www.securityfocus.com/bid/11338http://www.securityfocus.com/bid/11339https://exchange.xforce.ibmcloud.com/vulnerabilities/17638https://exchange.xforce.ibmcloud.com/vulnerabilities/17639
2004-12-31
Published