Vulnerability CVE-2011-3010 - CERT Civis.Net

Vulnerability Name:

CVE-2011-3010 (CCN-70037)

Assigned:

2011-09-22

Published:

2011-09-22

Updated:

2012-05-18

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in TWiki before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the newtopic parameter in a WebCreateNewTopic action, related to the TWiki.WebCreateNewTopicTemplate topic; or (2) the query string to SlideShow.pm in the SlideShowPlugin.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: BUGTRAQ
Type: UNKNOWN
20110922 XSS Vulnerabilities in TWiki < 5.1.0

Source: CCN
Type: Full-Disclosure Mailing List, Thu Sep 22 2011
XSS Vulnerabilities in TWiki < 5.1.0

Source: MITRE
Type: CNA
CVE-2011-3010

Source: CONFIRM
Type: UNKNOWN
http://develop.twiki.org/trac/changeset/21920

Source: CCN
Type: SA46123
TWiki Two Cross-Site Scripting Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
46123

Source: SECTRACK
Type: UNKNOWN
1026091

Source: CCN
Type: Security Alert CVE-2011-3010
XSS Vulnerability with Topic Create and Slideshows

Source: CONFIRM
Type: UNKNOWN
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2011-3010

Source: MISC
Type: UNKNOWN
http://www.mavitunasecurity.com/xss-vulnerability-in-twiki5

Source: OSVDB
Type: UNKNOWN
75673

Source: OSVDB
Type: UNKNOWN
75674

Source: CCN
Type: OSVDB ID: 75673
TWiki bin/view/Main/Jump newtopic Parameter XSS

Source: CCN
Type: OSVDB ID: 75674
TWiki SlideShowPlugin Slide Show Pages URI XSS

Source: BID
Type: UNKNOWN
49746

Source: CCN
Type: BID-49746
TWiki (CVE-2011-3010) Multiple Cross Site Scripting Vulnerabilities

Source: CCN
Type: Twiki Web Site
TWiki - the Open Source Enterprise Wiki and Web 2.0 Application Platform

Source: XF
Type: UNKNOWN
twiki-jump-slideshow-xss(70037)

Vulnerable Configuration:

Configuration 1:

cpe:/a:twiki:twiki:4.0:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.2.1:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.2.2:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.2.3:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.2.4:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.3.0:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.3.2:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:4.5.0:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:twiki:twiki:*:*:*:*:*:*:*:* (Version <= 5.0.1)

Denotes that component is vulnerable