CVE-2012-1004
Description
Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephone, (12) VoIP, (13) InstantMessagingIM, (14) Email, (15) HomePage, or (16) Comment parameter. NOTE: some of these details are obtained from third party information.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/47849
Vendor advisory: cve@mitre.org — http://foswiki.org/Support/SecurityAlert-CVE-2012-1004
References
- http://foswiki.org/Support/SecurityAlert-CVE-2012-1004
- http://foswiki.org/Tasks/Item11498
- http://foswiki.org/Tasks/Item11501
- http://secunia.com/advisories/47849
- http://st2tea.blogspot.com/2012/02/foswiki-cross-site-scripting.html
- http://foswiki.org/Support/SecurityAlert-CVE-2012-1004
- http://foswiki.org/Tasks/Item11498
- http://foswiki.org/Tasks/Item11501
- http://secunia.com/advisories/47849
- http://st2tea.blogspot.com/2012/02/foswiki-cross-site-scripting.html
CWEs
CWE-79
Verify integrity in audit chain (admin only). AS-IS.