Vulnerability Name:

CVE-2005-0085 (CCN-19223)

Assigned:2005-02-03
Published:2005-02-03
Updated:2017-10-11
Summary:Cross-site scripting (XSS) vulnerability in ht://dig (htdig) before 3.1.6-r7 allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message.
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: SCO
Type: UNKNOWN
SCOSA-2005.46

Source: MITRE
Type: CNA
CVE-2005-0085

Source: CCN
Type: RHSA-2005-090
htdig security update

Source: CCN
Type: SA14255
ht://Dig "config" Parameter Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: UNKNOWN
14255

Source: SECUNIA
Type: UNKNOWN
14276

Source: SECUNIA
Type: UNKNOWN
14303

Source: SECUNIA
Type: UNKNOWN
14795

Source: SECUNIA
Type: UNKNOWN
15007

Source: SECUNIA
Type: UNKNOWN
17414

Source: SECUNIA
Type: UNKNOWN
17415

Source: CCN
Type: SECTRACK ID: 1013078
ht://dig Input Validation Hole in `config` Parameter Permits Cross-Site Scripting Attacks

Source: SECTRACK
Type: UNKNOWN
1013078

Source: CCN
Type: ASA-2006-029
Cross-site Scripting Vulnerability in docview - htdig (SCOSA-2005.45)

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-680

Source: DEBIAN
Type: DSA-680
htdig -- unsanitised input

Source: CCN
Type: GLSA-200502-16
ht://Dig: Cross-site scripting vulnerability

Source: GENTOO
Type: UNKNOWN
GLSA-200502-16

Source: CCN
Type: ht://Dig Web site
ht://Dig -- Internet search engine software

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2005:063

Source: FEDORA
Type: UNKNOWN
FLSA-2006:152907

Source: REDHAT
Type: UNKNOWN
RHSA-2005:073

Source: REDHAT
Type: UNKNOWN
RHSA-2005:090

Source: BID
Type: Patch, Vendor Advisory
12442

Source: CCN
Type: BID-12442
Dig Config Parameter Cross-Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
htdig-config-xss(19223)

Source: XF
Type: UNKNOWN
htdig-config-xss(19223)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10878

Vulnerable Configuration:Configuration 1:
  • cpe:/a:htdig:htdig:3.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.1.5_7:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.1.5_8:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.2.0b2:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.2.0b3:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.2.0b4:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.2.0b5:*:*:*:*:*:*:*
  • OR cpe:/a:htdig:htdig:3.2.0b6:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:amd64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:x86_64:*:*:*:*:*
  • OR cpe:/o:redhat:fedora_core:core_3.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.0:*:i386:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:x86_64:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20050085
    V
    		CVE-2005-0085
    2015-11-16
    oval:org.mitre.oval:def:10878
    V
    		Cross-site scripting (XSS) vulnerability in ht://dig (htdig) before 3.1.6-r7 allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message.
    2013-04-29
    oval:com.redhat.rhsa:def:20050090
    P
    		RHSA-2005:090: htdig security update (Moderate)
    2005-02-15
    oval:org.debian:def:680
    V
    		unsanitised input
    2005-02-14
    BACK
    htdig htdig 3.1.5
    htdig htdig 3.1.5_7
    htdig htdig 3.1.5_8
    htdig htdig 3.1.6
    htdig htdig 3.2.0
    htdig htdig 3.2.0b2
    htdig htdig 3.2.0b3
    htdig htdig 3.2.0b4
    htdig htdig 3.2.0b5
    htdig htdig 3.2.0b6
    mandrakesoft mandrake linux 10.0
    mandrakesoft mandrake linux 10.0
    mandrakesoft mandrake linux 10.1
    mandrakesoft mandrake linux 10.1
    mandrakesoft mandrake linux corporate server 2.1
    mandrakesoft mandrake linux corporate server 2.1
    mandrakesoft mandrake linux corporate server 3.0
    mandrakesoft mandrake linux corporate server 3.0
    redhat fedora core core_3.0
    suse suse linux 8.0
    suse suse linux 8.0
    suse suse linux 8.1
    suse suse linux 8.2
    suse suse linux 9.0
    suse suse linux 9.0
    suse suse linux 9.1
    suse suse linux 9.2