CVE-2012-1004 : Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki

Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephone, (12) VoIP, (13) InstantMessagingIM, (14) Email, (15) HomePage, or (16) Comment parameter. NOTE: some of these details are obtained from third party information.

Published 2012-02-08 04:11:32

Updated 2025-04-11 00:51:22

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2012-1004

Foswiki » Foswiki » Version: 1.1.0
cpe:2.3:a:foswiki:foswiki:1.1.0:*:*:*:*:*:*:*
Matching versions
Foswiki » Foswiki » Version: 1.1.1
cpe:2.3:a:foswiki:foswiki:1.1.1:*:*:*:*:*:*:*
Matching versions
Foswiki » Foswiki » Version: 1.1.2
cpe:2.3:a:foswiki:foswiki:1.1.2:*:*:*:*:*:*:*
Matching versions
Foswiki » Foswiki » Version: 1.1.3
cpe:2.3:a:foswiki:foswiki:1.1.3:*:*:*:*:*:*:*
Matching versions
Foswiki » Foswiki » Version: 1.1.4
cpe:2.3:a:foswiki:foswiki:1.1.4:*:*:*:*:*:*:*
Matching versions
Foswiki » Foswiki » Version: 1.1.4 Update RC
cpe:2.3:a:foswiki:foswiki:1.1.4:rc:*:*:*:*:*:*
Matching versions
Foswiki » Foswiki » Version: 1.1.4 Update Beta
cpe:2.3:a:foswiki:foswiki:1.1.4:beta:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2012-1004

EPSS FAQ

0.26%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 46 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2012-1004

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
2.1	LOW	AV:N/AC:H/Au:S/C:N/I:P/A:N	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2012-1004

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-1004

http://st2tea.blogspot.com/2012/02/foswiki-cross-site-scripting.html

st2tea: Foswiki Cross Site Scripting
http://secunia.com/advisories/47849

Sign in
Vendor Advisory
http://foswiki.org/Tasks/Item11501

Item11501: User registration needs mechanism to validate form fields < Tasks < Foswiki
http://foswiki.org/Support/SecurityAlert-CVE-2012-1004

SecurityAlert-CVE-2012-1004 < Support < Foswiki
Vendor Advisory
http://foswiki.org/Tasks/Item11498

Item11498: Implement a new whitelist mechanism to help sanitize the =script= zone < Tasks < Foswiki

Jump to

Vulnerability Details : CVE-2012-1004

Products affected by CVE-2012-1004

Exploit prediction scoring system (EPSS) score for CVE-2012-1004

CVSS scores for CVE-2012-1004

CWE ids for CVE-2012-1004

References for CVE-2012-1004