Info

Disclosure

Dec 20, 2005

Discovery

Nov 15, 2005

Dates

Exploit

Dec 20, 2005

Solution

Unknown

Description

Cerberus Helpdesk Support Center contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'kb_ask' variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

WebGroup Media LLC	Cerberus Helpdesk Support Center	3.2.0pr2
		2.649

References

Secunia Advisory ID: 18112
CVE ID: 2005-4428 (see also: NVD)
Related OSVDB ID: 21988 21990 21991 21992 21993 21994 21995
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0949.html
Vendor Specific News/Changelog Entry: http://forum.cerberusweb.com/showthread.php?s=&postid=30315
http://www.cerberusweb.com/devblog/index.php?p=70
Vendor URL: http://www.cerberusweb.com/

Credit

A. Ramos - aramosfunsec.net - Personal Page

Direct URL: http://osvdb.org/21989

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

WebGroup Media LLC

Cerberus Helpdesk Support Center

References

Credit