SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#488684

Hummingbird CyberDOCS contains multiple cross-site scripting vulnerabilities

Overview

Hummingbird CyberDOCS contains cross site scripting vulnerabilities that could allow an attacker to obtain sensitive information and possibly impersonate legitimate users.

I. Description

Hummingbird CyberDOCS (Hummingbird DM) is a web-based enterprise document management solution that runs on Windows NT/2000 using SQL database technology. Several web pages return user input from URI or POST query parameters without adequate filtering. By convincing a user to access a crafted URI or web page, a remote attacker could execute HTML and script within the trust domain of the CyberDOCS web server.

II. Impact

A remote attacker could access sensitive information related to the vulnerable web page (cookies, form values, URI data). The attacker could also attempt to mislead the user into providing sensitive information such as login credentials.

III. Solution

Apply a patch or upgrade

For CyberDOCS 4.0, apply Patch 4 from the CyberDOCS support site. For versions of CyberDOCS prior to 4.0, Hummingbird recommends that customers upgrade to the most recent version of CyberDOCS.

Systems Affected

VendorStatusDate Updated
HummingbirdVulnerable9-Oct-2003

References


http://www.procheckup.com/security_info/vuln_pr0305.html
http://www.hummingbird.com/support/dkm/supportservices/Cyberdocs.html
http://www.cert.org/archive/pdf/cross_site_scripting.pdf

Credit

This vulnerability was discovered and reported by ProCheckUp.

This document was written by Art Manion.

Other Information

Date Public10/06/2003
Date First Published10/09/2003 02:54:22 PM
Date Last Updated10/14/2003
CERT Advisory 
CVE Name 
US-CERT Technical Alerts 
Metric1.95
Document Revision25

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader