CVE-2007-4088 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in Vikingboard 0.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) id (2) f (3) quote and (4) act parameters to cp.php; the (5) u parameter to user.php; the (6) f parameter to post.php; the (7) s parameter to topic.php; the (8) quote (9) t (10) poll and (11) p parameters to post.php; the (12) Message Title field of a private message (PM) in mode 6 of cp.php; the (13) title field of a private message (PM) in mode 7 of cp.php; and (14) allow user-assisted remote attackers to inject arbitrary web script or HTML via a dosearch action to search.php which reflects the first lines of all posts by a user. NOTE: the act parameter to help.php and the p parameter to report.php are already covered by CVE-2006-4708. NOTE: vectors 12 and 13 might overlap CVE-2006-6283.1. NOTE: vector 14 might overlap CVE-2006-4708.b.

Reference

http://lostmon.blogspot.com/2007/07/vikingboard-multiple-cross-site.html http://osvdb.org/37352 http://osvdb.org/37354 http://osvdb.org/37355 http://osvdb.org/37356 http://osvdb.org/37357 http://secunia.com/advisories/26196 http://secwatch.org/advisories/1018567/ http://www.securityfocus.com/bid/25056 https://exchange.xforce.ibmcloud.com/vulnerabilities/35599 https://exchange.xforce.ibmcloud.com/vulnerabilities/35601