CVE-2010-1459 — Cross-site Scripting in Mono

CWE-79 — Cross-site Scripting9 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 38.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mono Debian Mono

Timeline

PublishedMay 27

Latest updateMay 2

Description

The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶NuGetmono/mono< 2.6.4

▶debiandebian/mono< mono 2.4.4~svn151842-3 (bookworm)

▶Debianmono/mono< 2.4.4~svn151842-3+3

▶NVDmono/mono62 versions+61

🔴Vulnerability Details

OSV

Mono ASP.NET View State Cross-Site Scripting (XSS) vulnerability↗2022-05-02

▶

GHSA

Mono ASP.NET View State Cross-Site Scripting (XSS) vulnerability↗2022-05-02

▶

CVEList

CVE-2010-1459: The default configuration of ASP↗2010-05-27

▶

OSV

CVE-2010-1459: The default configuration of ASP↗2010-05-27

▶

📋Vendor Advisories

Red Hat

Mono: View State Cross-Site Scripting↗2010-04-28

▶

Debian

CVE-2010-1459: mono - The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE f...↗2010

▶

💬Community

Bugzilla

CVE-2010-1459 Mono: View State Cross-Site Scripting [Fedora all]↗2010-05-31

▶

Bugzilla

CVE-2010-1459 Mono: View State Cross-Site Scripting↗2010-05-31

▶