Vulnerability Name:

CVE-2002-1335 (CCN-10842)

Assigned:2002-11-27
Published:2002-11-27
Updated:2017-07-11
Summary:Cross-site scripting (XSS) vulnerability in w3m 0.3.2 does not escape an HTML tag in a frame, which allows remote attackers to insert arbitrary web script or HTML and access files or cookies.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2002-1335

Source: CCN
Type: w3m-dev-en Mailing List, Wed, 27 Nov 2002 01:53:56 +0900
[w3m-dev-en 00838] w3m-0.3.2.1 released

Source: CONFIRM
Type: Vendor Advisory
http://mi.med.tohoku.ac.jp/%7Esatodai/w3m-dev-en/200211.month/838.html

Source: CCN
Type: RHSA-2003-044
Updated w3m packages fix cross-site scripting issues

Source: CCN
Type: RHSA-2003-045
w3m security update

Source: CCN
Type: SA8015
RedHat updates to W3M

Source: SECUNIA
Type: UNKNOWN
8015

Source: CCN
Type: SA8016
RedHat updates to W3M

Source: SECUNIA
Type: UNKNOWN
8016

Source: CCN
Type: SA8031
Debian updates to w3mmee

Source: SECUNIA
Type: UNKNOWN
8031

Source: SECUNIA
Type: UNKNOWN
8053

Source: CONFIRM
Type: UNKNOWN
http://sourceforge.net/project/shownotes.php?release_id=124484

Source: CCN
Type: SourceForge.net
SourceForge.net: Project Info - w3m

Source: DEBIAN
Type: UNKNOWN
DSA-249

Source: DEBIAN
Type: UNKNOWN
DSA-250

Source: DEBIAN
Type: UNKNOWN
DSA-251

Source: DEBIAN
Type: DSA-249
w3mmee -- missing HTML quoting

Source: DEBIAN
Type: DSA-250
w3mmee-ssl -- missing HTML quoting

Source: DEBIAN
Type: DSA-251
w3m -- missing HTML quoting

Source: CCN
Type: OpenPKG-SA-2003.009
w3m

Source: OPENPKG
Type: UNKNOWN
OpenPKG-SA-2003.009

Source: OSVDB
Type: UNKNOWN
6981

Source: CCN
Type: OSVDB ID: 6981
w3m Unspecified Frame XSS

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2003:044

Source: REDHAT
Type: UNKNOWN
RHSA-2003:045

Source: BID
Type: Patch, Vendor Advisory
6793

Source: CCN
Type: BID-6793
W3M Frame Enabled Browsing Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
w3m-html-frame-xss(10842)

Source: XF
Type: UNKNOWN
w3m-html-frame-xss(10842)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:w3m:w3m:0.3.2:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:w3m:w3m:0.2.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:linux:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:openpkg:openpkg:current:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:openpkg:openpkg:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:openpkg:openpkg:1.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20021335
    V
    CVE-2002-1335
    2015-11-16
    oval:org.debian:def:251
    V
    missing HTML quoting
    2003-02-14
    oval:org.debian:def:250
    V
    missing HTML quoting
    2003-02-12
    oval:org.debian:def:249
    V
    missing HTML quoting
    2003-02-11
    BACK
    w3m w3m 0.3.2
    w3m w3m 0.2.1
    redhat linux 7
    redhat linux 7.1
    redhat linux 7.2
    redhat linux 7.3
    debian debian linux 3.0
    openpkg openpkg current
    redhat linux 8.0
    openpkg openpkg 1.1
    openpkg openpkg 1.2
    redhat enterprise linux 2.1
    redhat linux advanced workstation 2.1