CVE-2005-3818 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields including the contact lead and first or last name fields (2) the record parameter in a DetailView action in the Leads module for index.php (3) the $_SERVER[‘PHP_SELF’] variable which is used in multiple locations such as index.php and (4) aggregated RSS feeds in the RSS aggregation module.

Reference

http://secunia.com/advisories/17693 http://securitytracker.com/id?1015271 http://www.hardened-php.net/advisory_232005.105.html http://www.osvdb.org/21227 http://www.osvdb.org/21228 http://www.osvdb.org/21229 http://www.osvdb.org/21230 http://www.securityfocus.com/archive/1/417730/30/0/threaded http://www.securityfocus.com/bid/15562 http://www.vupen.com/english/advisories/2005/2569 https://exchange.xforce.ibmcloud.com/vulnerabilities/23362 https://exchange.xforce.ibmcloud.com/vulnerabilities/23363