CVE: CVE-2007-5727

Export to Word

Incomplete blacklist vulnerability in the stripScripts function in common.php in OneOrZero Helpdesk 1.6.5.4, 1.6.4.2, and possibly other versions, allows remote attackers to conduct cross-site scripting (XSS) attacks and inject arbitrary web script or HTML via XSS sequences without SCRIPT tags in the description parameter to (1) tcreate.php or (2) tupdate.php, as demonstrated using an onmouseover event in a b tag.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.0048
Percentile: 0.64116

CVSS Scoring

CVSS v2 Score: 4.3

Severity:

Mapped CWE(s)

CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

All CAPEC(s)

CAPEC-209: XSS Using MIME Type Mismatch
CAPEC-588: DOM-Based XSS
CAPEC-591: Reflected XSS
CAPEC-592: Stored XSS
CAPEC-63: Cross-Site Scripting (XSS)
CAPEC-85: AJAX Footprinting

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

Affected Products

cpe:2.3:a:oneorzero:oneorzero_helpdesk:1.6.4.2:*:*:*:*:*:*:*
cpe:2.3:a:oneorzero:oneorzero_helpdesk:1.6.5.4:*:*:*:*:*:*:*

← Back to Home