phpGroupWare Wiki module cross-site scripting
| phpgroupware-xss (17289) |  Medium Risk |
Description:
Joseph Engo's phpGroupWare is vulnerable to cross-site scripting, caused by improper filtering of user-supplied input in the Wiki module.
Platforms Affected:
- Gentoo, Linux
- Joseph Engo, phpGroupWare prior to 0.9.16.003
Remedy:
Upgrade to the latest version of phpGroupWare (0.9.16.003 or later) available from the phpGroupWare Web site. See References.
For Gentoo Linux:
Upgrade to the latest version of phpGroupWare (0.9.16.003 or later), as listed in GLSA 200409-22. See References.
Consequences:
Gain Access
References:
- phpGroupWare ChangeLog Web page, phpGroupWare ChangeLog at http://downloads.phpgroupware.org/changelog.
- phpGroupWare Web site, phpGroupWare at http://www.phpgroupware.org/.
- BID-11130: PHPGroupWare Wiki Cross-Site Scripting Vulnerability
- CVE-2004-0875: Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware (aka webdistro) 0.9.16.002 and earlier allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to the wiki module.
- GLSA-200409-22: phpGroupWare: XSS vulnerability in wiki module
Reported:
Sep 06, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net