CVE-2009-4047
published 2009-11-23CVE-2009-4047: Multiple cross-site scripting (XSS) vulnerabilities in PHD Help Desk 1.43 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO…
PriorityP422medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.94%
77.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in PHD Help Desk 1.43 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to area.php; the (2) pagina, (3) sentido, (4) q_registros, and (5) orden parameters to area.php; (6) the q_registros parameter to solic_display.php; (7) the PATH_INFO to area_list.php; (8) the q_registros parameter to area_list.php; (9) the PATH_INFO to atributo.php; the (10) pagina, (11) q_registros, and (12) orden parameters to atributo_list.php; (13) an arbitrary parameter name beginning with "sentido" to atributo_list.php; and (14) the PATH_INFO to caso_insert.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| p-hd | phd_help_desk | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PHD Help Desk 1.43 - 'area.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2009-11-16
CVE-2009-4047 PHD Help Desk 1.43 - 'area.php' Multiple Cross-Site Scripting Vulnerabilities
PHD Help Desk 1.43 - 'area.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/37029/info
PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
PHD Help Desk 1.43 is vulnerable; other versions may also be affected.
http://www.example.com/area.php/[code]
http://www.example.com/area.php?pagina=[code]
http://www.example.com/area.php?sentido=[code]
http://www.example.com/area.php?q_registros=[code]
http://www.example.com/area.php?orden=[code]
Exploit-DB
PHD Help Desk 1.43 - 'solic_display.php?q_registros' Cross-Site Scripting
exploitdb·2009-11-16
CVE-2009-4047 PHD Help Desk 1.43 - 'solic_display.php?q_registros' Cross-Site Scripting
PHD Help Desk 1.43 - 'solic_display.php?q_registros' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/37029/info
PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
PHD Help Desk 1.43 is vulnerable; other versions may also be affected.
http://www.example.com/solic_display.php?pagina=1&q_registros=[code]&orden=seq_solicitud_id
Exploit-DB
PHD Help Desk 1.43 - 'atributo_list.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2009-11-16
CVE-2009-4047 PHD Help Desk 1.43 - 'atributo_list.php' Multiple Cross-Site Scripting Vulnerabilities
PHD Help Desk 1.43 - 'atributo_list.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/37029/info
PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
PHD Help Desk 1.43 is vulnerable; other versions may also be affected.
http://www.example.com/atributo_list.php?pagina=1[code]&q_registros=15&orden=activo&sentido
http://www.example.com/atributo_list.php?pagina=1&q_registros=15[code]&orden=activo&sentido
http://www.example.com/atributo_list.php?p
Exploit-DB
PHD Help Desk 1.43 - 'caso_insert.php?URL' Cross-Site Scripting
exploitdb·2009-11-16
CVE-2009-4047 PHD Help Desk 1.43 - 'caso_insert.php?URL' Cross-Site Scripting
PHD Help Desk 1.43 - 'caso_insert.php?URL' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/37029/info
PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
PHD Help Desk 1.43 is vulnerable; other versions may also be affected.
http://www.example.com/caso_insert.php/[code]
Exploit-DB
PHD Help Desk 1.43 - 'area_list.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2009-11-16
CVE-2009-4047 PHD Help Desk 1.43 - 'area_list.php' Multiple Cross-Site Scripting Vulnerabilities
PHD Help Desk 1.43 - 'area_list.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/37029/info
PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
PHD Help Desk 1.43 is vulnerable; other versions may also be affected.
http://www.example.com/area_list.php/[code]
http://www.example.com/area_list.php?pagina=1&q_registros=0[code]&orden=nombre
Exploit-DB
PHD Help Desk 1.43 - 'atributo.php?URL' Cross-Site Scripting
exploitdb·2009-11-16
CVE-2009-4047 PHD Help Desk 1.43 - 'atributo.php?URL' Cross-Site Scripting
PHD Help Desk 1.43 - 'atributo.php?URL' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/37029/info
PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
PHD Help Desk 1.43 is vulnerable; other versions may also be affected.
http://www.example.com/atributo.php/[code]
No writeups or analysis indexed.
http://osvdb.org/60085http://osvdb.org/60086http://osvdb.org/60087http://osvdb.org/60088http://osvdb.org/60089http://osvdb.org/60090http://secunia.com/advisories/37375http://www.securityfocus.com/bid/37029http://osvdb.org/60085http://osvdb.org/60086http://osvdb.org/60087http://osvdb.org/60088http://osvdb.org/60089http://osvdb.org/60090http://secunia.com/advisories/37375http://www.securityfocus.com/bid/37029
2009-11-23
Published