search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Project Open cross-site scripting vulnerability

Vulnerability Note VU#732115

Original Release Date: 2012-02-03 | Last Revised: 2014-07-24

Overview

Project Open ]po[ version 3.4 and possibly earlier versions suffer from a reflective cross-site scripting (XSS) vulnerability in the account-closed.tcl script

Description

The XSS vulnerability (CWE-79) is contained within the message parameter in the account-closed.tcl script.

http://[HOST]/register/account-closed?message=[arbitrary-JavaScript]

Impact

An attacker may be able to execute arbitrary Javascript in the context of the user's browser.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

732115
 
Expand all

Project Open Affected

Notified:  January 19, 2012 Updated: February 01, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.5 E:POC/RL:U/RC:UC
Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Michail Poultsakis for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-1027
Severity Metric: 0.05
Date Public: 2012-02-01
Date First Published: 2012-02-03
Date Last Updated: 2014-07-24 22:19 UTC
Document Revision: 21

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis