National Cyber-Alert System
Vulnerability Summary for CVE-2005-4481
Original release date:12/22/2005
Last revised:09/20/2008
Source:
US-CERT/NIST
Overview
** DISPUTED ** Cross-site scripting (XSS) vulnerability in Polopoly 9 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search parameters. NOTE: the vendor has disputed this vulnerability, stating that the "XSS flaw was only part of the custom implementation of the [polopoly] site". As of 20061003, CVE has no further information on this issue, except that the original researcher has a history of testing live sites and assuming that discoveries indicate vulnerabilities in the associated package.
Impact
CVSS Severity (version 2.0):
Impact Subscore:
6.4
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service
- Official Statement from Polopoly (10/05/2006)
-
1. The XSS flaw described was only part of the custom implementation of the http://www.polopoly.com/ site. It was never part of any version of any Polopoly product, nor delivered to any of Polopoly’s customers.
2. The XSS flaw that existed (the search form in the upper right corner) on the www.polopoly.com site has been fixed.
3. When www.polopoly.com had the XSS flaw it was based on Polopoly 8.6. Polopoly 9.x was never involved what so ever in this issue. And as I said earlier, the flaw was not part of Polopoly 8.6 either, it was only in custom implementation code of the www.polopoly.com site.
4. The www.polopoly.com site is not personalized nor permission controlled, so there was no information of any value to steal by exploiting the XSS flaw.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
External Source: BID
Name: 16007
External Source: OSVDB
Name: 21878
External Source: VIM
Name: 20060926 vendor dispute: 21878: Polopoly Search Module XSS (fwd)
External Source: MISC
Name: http://pridels0.blogspot.com/2005/12/polopoly-xss-vuln.html