CVE-2009-3789
published 2009-10-26CVE-2009-3789: Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message…
PriorityP421medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.81%
84.7th percentile
Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opendocman | opendocman | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenDocMan 1.2.5 - 'view_file.php' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'view_file.php' Cross-Site Scripting
OpenDocMan 1.2.5 - 'view_file.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/view_file.php/">alert(1)<"?aku=aWQ9NiZzdGF0ZT0z
Exploit-DB
OpenDocMan 1.2.5 - 'add.php?last_message' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'add.php?last_message' Cross-Site Scripting
OpenDocMan 1.2.5 - 'add.php?last_message' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/add.php?last_message=alert(1)
Exploit-DB
OpenDocMan 1.2.5 - 'toBePublished.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'toBePublished.php' Multiple Cross-Site Scripting Vulnerabilities
OpenDocMan 1.2.5 - 'toBePublished.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/toBePublished.php/">alert(1)
http://www.example.com/opendocman/toBePublished.php?last_message=alert(1)
Exploit-DB
OpenDocMan 1.2.5 - 'category.php' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'category.php' Cross-Site Scripting
OpenDocMan 1.2.5 - 'category.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/category.php/">alert(1)<"?aku=c3VibWl0PWFkZCZzdGF0ZT0y
Exploit-DB
OpenDocMan 1.2.5 - 'profile.php' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'profile.php' Cross-Site Scripting
OpenDocMan 1.2.5 - 'profile.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/profile.php/">alert(1)
Exploit-DB
OpenDocMan 1.2.5 - 'department.php' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'department.php' Cross-Site Scripting
OpenDocMan 1.2.5 - 'department.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/department.php/">alert(1)<"?aku=c3VibWl0PXNob3dwaWNrJnN0YXRlPTI=
Exploit-DB
OpenDocMan 1.2.5 - 'user.php' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'user.php' Cross-Site Scripting
OpenDocMan 1.2.5 - 'user.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/user.php/">alert(1)alert(123)<"
Exploit-DB
OpenDocMan 1.2.5 - 'rejects.php' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'rejects.php' Cross-Site Scripting
OpenDocMan 1.2.5 - 'rejects.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/rejects.php/">alert(1)
Exploit-DB
OpenDocMan 1.2.5 - 'index.php?last_message' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'index.php?last_message' Cross-Site Scripting
OpenDocMan 1.2.5 - 'index.php?last_message' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/index.php?last_message=alert(1)
Exploit-DB
OpenDocMan 1.2.5 - 'search.php' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'search.php' Cross-Site Scripting
OpenDocMan 1.2.5 - 'search.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/search.php/">alert(1)
Exploit-DB
OpenDocMan 1.2.5 - 'admin.php?last_message' Cross-Site Scripting
exploitdb·2009-10-21
CVE-2009-3789 OpenDocMan 1.2.5 - 'admin.php?last_message' Cross-Site Scripting
OpenDocMan 1.2.5 - 'admin.php?last_message' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/admin.php?last_message=alert(1)
Exploit-DB
OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection
exploitdb·2009-10-20
CVE-2009-3789 OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection
OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection
---
Security Advisory : Multiple vulnerabilities in OpenDocMan
Discovered by ==> Amol Naik (amolnaik4[at]gmail.com)
## Overview ##
OpenDocMan is a free document management system (DMS) designed to comply with ISO 17025 and OIE standard for document management. It features web based access, fine grained control of access to files, and automated install and upgrades.
## Vulnerability Description ##
OpenDocMan is vulnerable to authentication bypass and multiple cross-site scripting issues.
## Technical Details ##
Vulnerable Product : OpenDocMan v1.2.5
Download : http://sourceforge.net/projects/opendocman/files/opendocman/1.2.5/opendocman-1.2.5.zip/download
Authentication Bypass:
A valid username require to carry put Auth Bypass
No writeups or analysis indexed.
http://osvdb.org/59302http://osvdb.org/59303http://osvdb.org/59304http://osvdb.org/59305http://osvdb.org/59306http://osvdb.org/59307http://osvdb.org/59308http://osvdb.org/59309http://osvdb.org/59310http://osvdb.org/59311http://osvdb.org/59312http://secunia.com/advisories/30750http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txthttp://www.securityfocus.com/bid/36777https://exchange.xforce.ibmcloud.com/vulnerabilities/53887http://osvdb.org/59302http://osvdb.org/59303http://osvdb.org/59304http://osvdb.org/59305http://osvdb.org/59306http://osvdb.org/59307http://osvdb.org/59308http://osvdb.org/59309http://osvdb.org/59310http://osvdb.org/59311http://osvdb.org/59312http://secunia.com/advisories/30750http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txthttp://www.securityfocus.com/bid/36777https://exchange.xforce.ibmcloud.com/vulnerabilities/53887
2009-10-26
Published