DCP-Portal user_update.php cross-site scripting
| dcpportal-userupdate-css (8197) |  Medium Risk |
Description:
DCP-Portal is vulnerable to cross-site scripting. A remote attacker with a valid account could use the user_update.php script to embed malicious script within HTML tags in the (Job) field, which would be executed in the victim's Web browser once the attacker's profile page is viewed.
Consequences:
Other
Remedy:
No remedy available as of March 13, 2010.
References:
- ALPER Research Labs Security Advisory ARL02-A03: DCP-Portal Cross Site Scripting Vulnerability.
- DCP-Portal Web site: DCP-Portal.com::DCP-Portal - Welcome.
- BID-4112: DCP-Portal User Details Cross-Agent Scripting Vulnerability
- CVE-2002-0281: Cross-site scripting vulnerability in DCP-Portal 4.2 and earlier allows remote attackers to gain privileges of other portal users by providing Javascript in the job information field to user_update.php.
Platforms Affected:
- DCP-Portal DCP-Portal 3.7
- DCP-Portal DCP-Portal 4.0 final
- DCP-Portal DCP-Portal 4.1 final
- DCP-Portal DCP-Portal 4.2
Reported:
Feb 15, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net