Vulnerability Note VU#732115

Project Open cross-site scripting vulnerability

Original Release date: 03 Feb 2012 | Last revised: 24 Jul 2014

Overview

Project Open ]po[ version 3.4 and possibly earlier versions suffer from a reflective cross-site scripting (XSS) vulnerability in the account-closed.tcl script

Description

The XSS vulnerability (CWE-79) is contained within the message parameter in the account-closed.tcl script.

http://[HOST]/register/account-closed?message=[arbitrary-JavaScript]

Impact

An attacker may be able to execute arbitrary Javascript in the context of the user's browser.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Project OpenAffected19 Jan 201201 Feb 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.5 E:POC/RL:U/RC:UC
Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Michail Poultsakis for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-1027
  • Date Public: 01 Feb 2012
  • Date First Published: 03 Feb 2012
  • Date Last Updated: 24 Jul 2014
  • Severity Metric: 0.05
  • Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.