CVE-2010-4647
published 2011-01-13CVE-2010-4647: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote…
PriorityP423medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.22%
91.5th percentile
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eclipse | eclipse_ide | <= 3.6.1 | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
| eclipse | eclipse_ide | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
eclipse: Help Content web application vulnerable to multiple XSS
vendor_redhat·2010-11-16·CVSS 4.3
CVE-2010-4647 [MEDIUM] CWE-79 eclipse: Help Content web application vulnerable to multiple XSS
eclipse: Help Content web application vulnerable to multiple XSS
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.
Package: eclipse (Red Hat Enterprise Linux 5) - Will not fix
Red Hat
eclipse: Help Content web application vulnerable to multiple XSS flaws
vendor_redhat·2008-04-24·CVSS 4.3
CVE-2008-7271 [MEDIUM] CWE-79 eclipse: Help Content web application vulnerable to multiple XSS flaws
eclipse: Help Content web application vulnerable to multiple XSS flaws
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
Package: eclipse (Red Hat Enterprise Linux 5) - Will not fix
Package: eclipse (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-rpmq-jrch-356w: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2008-7271 [MEDIUM] CWE-79 GHSA-rpmq-jrch-356w: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
GHSA
GHSA-2q22-9jhj-hx5g: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3
ghsa_unreviewed·2022-05-14
CVE-2010-4647 [MEDIUM] CWE-79 GHSA-2q22-9jhj-hx5g: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.
No detection rules found.
Exploit-DB
Eclipse 3.6.1 - Help Server 'help/index.jsp' Cross-Site Scripting
exploitdb·2010-11-16
CVE-2010-4647 Eclipse 3.6.1 - Help Server 'help/index.jsp' Cross-Site Scripting
Eclipse 3.6.1 - Help Server 'help/index.jsp' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/44883/info
Eclipse IDE Help component is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)
Exploit-DB
Eclipse 3.6.1 - Help Server 'help/advanced/content.jsp' Cross-Site Scripting
exploitdb·2010-11-16
CVE-2010-4647 Eclipse 3.6.1 - Help Server 'help/advanced/content.jsp' Cross-Site Scripting
Eclipse 3.6.1 - Help Server 'help/advanced/content.jsp' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/44883/info
Eclipse IDE Help component is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)
Bugzilla
CVE-2008-7271 eclipse: Help Content web application vulnerable to multiple XSS flaws
bugzilla·2011-01-19·CVSS 4.3
CVE-2008-7271 [MEDIUM] CVE-2008-7271 eclipse: Help Content web application vulnerable to multiple XSS flaws
CVE-2008-7271 eclipse: Help Content web application vulnerable to multiple XSS flaws
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7271 to
the following vulnerability:
Name: CVE-2008-7271
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271
Assigned: 20110113
Reference: MISC: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
Reference: MISC: https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539
Multiple cross-site scripting (XSS) vulnerabilities in the Help
Contents web application (aka the Help Server) in Eclipse IDE,
possibly 3.3.2, allow remote attackers to inject arbitrary web script
or HTML via (1) the searchWord parameter to
help/advanced/searchView.jsp or (2) the workingSet parameter in an add
action to help/advanced/w
Bugzilla
CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS [fedora-all]
bugzilla·2011-01-19·CVSS 4.3
CVE-2010-4647 [MEDIUM] CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS [fedora-all]
CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=661901
Please note: this issue
Bugzilla
CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
bugzilla·2010-12-09·CVSS 4.3
CVE-2010-4647 [MEDIUM] CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
It was reported [1] that the Eclipse Help Contents were vulnerable to Cross Site Scripting vulnerabilities in the /help/index.jsp and /help/advanced/content.jsp URLs that are served by the built-in Jetty Web Server plugin.
There is an upstream bug [2] and according to the reporter, this is corrected upstream (as of nightlies dating back to 20101110).
[1] http://yehg.net/lab/pr0js/advisories/eclipse/%5Beclipse_help_server%5D_cross_site_scripting
Discussion:
Upstream bug is here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
---
This has been assigned the name CVE-2010-4647:
http://article.gmane.org/gmane.comp.security.oss.general/4059
---
How do I trigger the bug actually?
Using Eclipse 3.5.2 fr
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052532.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-December/052554.htmlhttp://openwall.com/lists/oss-security/2011/01/06/16http://openwall.com/lists/oss-security/2011/01/06/7http://www.mandriva.com/security/advisories?name=MDVSA-2011:032http://www.redhat.com/support/errata/RHSA-2011-0568.htmlhttp://yehg.net/lab/pr0js/advisories/eclipse/%5Beclipse_help_server%5D_cross_site_scriptinghttps://bugs.eclipse.org/bugs/show_bug.cgi?id=329582https://exchange.xforce.ibmcloud.com/vulnerabilities/64833http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052532.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-December/052554.htmlhttp://openwall.com/lists/oss-security/2011/01/06/16http://openwall.com/lists/oss-security/2011/01/06/7http://www.mandriva.com/security/advisories?name=MDVSA-2011:032http://www.redhat.com/support/errata/RHSA-2011-0568.htmlhttp://yehg.net/lab/pr0js/advisories/eclipse/%5Beclipse_help_server%5D_cross_site_scriptinghttps://bugs.eclipse.org/bugs/show_bug.cgi?id=329582https://exchange.xforce.ibmcloud.com/vulnerabilities/64833
2011-01-13
Published