[VIM] CVE-2006-1854 (Bluepay) vendor dispute
Stuart Moore
smoore at securityglobal.net
Fri May 12 23:52:32 EDT 2006
Steve,
The script seems to remove the greater than and less than characters.
But, your onmouseover example from the previous dispute works just fine
in the username field:
" onmouseover="javascript:alert('hi')"
:-)
Stuart
Steven M. Christey wrote:
> Following the traditional Friday dispute pattern... I have not
> investigated yet.
>
> a r0t production.
>
> - Steve
>
>
> ---------- Forwarded message ----------
> Date: Fri, 12 May 2006 15:54:11 -0500
> From: Chris Jansen
> To: cve at mitre.org
> Cc: nvd at nist.gov
> Subject: CVE-2006-1854 - Dispute
>
> To Whom it May Concern,
>
> As an authorized representative of Bluepay, Inc, as well as the primary
> programmer on the Bluepay staff, I'd like to formally dispute CVE-2006-1854,
> which reads as follows:
>
> "Multiple cross-site scripting (XSS) vulnerabilities in BluePay Manager 2.0
> and earlier allow remote attackers to inject arbitrary web script or HTML
> during a login action via the (1) Account Name and (2) Username field."
>
> Reference: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1854
>
> I doubt this vulnerability ever existed, but assuming it did exist at some
> point, it does not exist currently in the Bluepay 2.0 product.
>
> Please let me know what steps I can take next to have this entry listed as
> vendor-disputed, or outright incorrect information.
>
> -Chris Jansen
> 630-723-4093
>
> Senior Analyst
> Bluepay, Inc
> 184 N Shuman Blvd
> Naperville, IL 60563
>
More information about the VIM
mailing list