QwikSec

Security Database

CVE

CWE

Training

CVE-2009-2006

Published: Jun 8, 2009

Modified: Aug 7, 2024

PUBLISHED

Description

Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) search_term parameter to main/auth/courses.php; the (2) frm_title and (3) frm_content parameters in a new personal agenda item action; the (4) title and (5) tutor_name parameters in a new course action; and the (6) student and (7) course parameters to main/mySpace/myStudents.php. NOTE: vectors 2 and 3 might only be exploitable via a separate CSRF vulnerability.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

dokeos-new-course-xss(50500)

vdb-entry

x_refsource_XF

vdb-entry

x_refsource_VUPEN

third-party-advisory

x_refsource_SECUNIA

http://www.dokeos.com/wiki/index.php/Security#Dokeos_1.8

x_refsource_CONFIRM

dokeos-agenda-item-xss(50498)

vdb-entry

x_refsource_XF

dokeos-mystudents-xss(50502)

vdb-entry

x_refsource_XF

http://holisticinfosec.org/content/view/112/45/

x_refsource_MISC

vdb-entry

x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.