CVE-2010-3425
published 2010-09-16CVE-2010-3425: Cross-site scripting (XSS) vulnerability in UserControls/Popups/frmHelp.aspx in SmarterStats 5.3, 5.3.3819, and possibly other 5.3 versions, allows remote…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.48%
70.7th percentile
Cross-site scripting (XSS) vulnerability in UserControls/Popups/frmHelp.aspx in SmarterStats 5.3, 5.3.3819, and possibly other 5.3 versions, allows remote attackers to inject arbitrary web script or HTML via the url parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartertools | smarterstats | — | — |
| smartertools | smarterstats | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SmarterMail 7.3/7.4 - Multiple Vulnerabilities
exploitdb·2011-03-10·CVSS 4.3
CVE-2010-3486 [MEDIUM] SmarterMail 7.3/7.4 - Multiple Vulnerabilities
SmarterMail 7.3/7.4 - Multiple Vulnerabilities
---
Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me
Identified: October 28, 2010
Vendor: SmarterTools
Application: SmarterMail 7.x
Bug(s): Stored XSS, Reflected XSS, Directory Traversal, File Upload Parameters, OS Execution, XML Injection, LDAP Injection, DoS
Patch: The Vendor has released SmarterMail Version 8 at URI http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary
Timeline: Notify Vendor 10-28-2011 on Version 7.3 with respect to Stored XSS, other Vulns
Vendor updates to Version 7.4 on 12.30.2010, Notify Vendor of Stored XSS, other Vulns
Vendor updates to Version 8.0 on 3.10.2011
Publication: March 10, 2011 | Hoyt LLC Research publishes vulnerability information for
Exploit-DB
SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting
exploitdb·2010-10-02
CVE-2010-3425 SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting
SmarterMail alert(1)eb582083b9d was submitted in the
ctl00%24MPH%24SubjectBox_SettingText parameter. This input was returned
unmodified in a subsequent request for the URL /Main/frmToday.aspx.
This proof-of-concept attack demonstrates that it is possible to inject
arbitrary JavaScript into the application's response.
Issue background
Stored cross-site scripting vulnerabilities arise when data which originated
from any tainted source is copied into the application's responses in an
unsafe way. An attacker can use the vulnerability to inject malicious
JavaScript code into the application, which will execute within the browser
of any user who views the relevant application content.
The attacker-supplied code can perform a wide variety of actions, such as
stealing victims' session tokens or lo
No writeups or analysis indexed.
http://cloudscan.blogspot.com/2010/09/vendorsmarterstats-bug-cross-site.htmlhttp://secunia.com/advisories/41389http://www.osvdb.org/67895https://exchange.xforce.ibmcloud.com/vulnerabilities/61724http://cloudscan.blogspot.com/2010/09/vendorsmarterstats-bug-cross-site.htmlhttp://secunia.com/advisories/41389http://www.osvdb.org/67895https://exchange.xforce.ibmcloud.com/vulnerabilities/61724
2010-09-16
Published