[VIM] Resolved PHPKB vendor dispute (CVE-2006-2184)
Steven M. Christey
coley at mitre.org
Fri May 19 17:09:02 EDT 2006
The vendor has fixed the issue, so I consider the dispute to be
resolved.
- Steve
======================================================
Name: CVE-2006-2184
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2184
Acknowledged: yes via-email
Announced: 20060502
Flaw: XSS
Reference: MISC:http://d4igoro.blogspot.com/2006/05/phpkb-knowledge-base-xss.html
Reference: MLIST:[VIM] 20060512 Vendor dispute of CVE-2006-2184
Reference: URL:http://www.attrition.org/pipermail/vim/2006-May/000753.html
Reference: FRSIRT:ADV-2006-1628
Reference: URL:http://www.frsirt.com/english/advisories/2006/1628
Reference: SECUNIA:19913
Reference: URL:http://secunia.com/advisories/19913
Cross-site scripting (XSS) vulnerability in search.php in PHPKB
Knowledge Base allows remote attackers to inject arbitrary web script
or HTML via the searchkeyword parameter. NOTE: the issue was
originally disputed by the vendor, but on 20060519, the vendor
notified CVE that "We have fixed all the mentioned issues and now the
search section of PHPKB script is free from any XSS issues."
Analysis:
ACKNOWLEDGEMENT: at the top of the researchers page for this
vulnerability he says "pdate: the vendor have informed me that there
is no hole. i only had a look on the online demo. if you want you can
send me a fullversion. :)" on 20060510, the vendor emailed a dispute
to CVE regarding this issue, suggesting that CVE could test their demo
web site. CVE (Christey) quickly found a javascript event XSS variant
and notified the vendor early in 20060511. On 20060519, the vendor
fixed the issue and withdrew the dispute.
More information about the VIM
mailing list