A vulnerability, which was classified as problematic, has been found in DaDaBIK. This issue affects an unknown code. The manipulation of the argument select_single with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. The summary by CVE is:

Cross-site scripting (XSS) vulnerability in DaDaBIK before 4.3 beta2, when the insert or edit feature is enabled, allows remote authenticated users to inject arbitrary web script or HTML via the select_single parameter.

The weakness was disclosed 12/01/2010 (Website). The advisory is shared at securityfocus.com. The identification of this vulnerability is CVE-2010-4355 since 12/01/2010. The attack may be initiated remotely. A simple authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

Upgrading to version 4.3 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (63219). The entry 55586 is pretty similar.

Productinfo

Name

• DaDaBIK

Version

• 1.0.1
• 1.0.2
• 1.0.3
• 1.0.4
• 1.0.5
• 1.1
• 1.5
• 1.5b
• 1.6
• 1.7
• 1.8
• 1.9
• 1.9.1
• 2.0.1
• 2.1
• 2.1b
• 2.2.1
• 3.0
• 3.1
• 3.2
• 4.0
• 4.1
• 4.2
• 4.3

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion