CVE-2002-2377 in Zap Book
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in addentry.cgi in ZAP 1.0.3 allows remote attackers to inject arbitrary SSi directives, web script, and HTML via the entry field.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/26/2025
The vulnerability identified as CVE-2002-2377 represents a critical cross-site scripting flaw in the ZAP 1.0.3 web application's addentry.cgi script. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically targeting the improper validation of user input within the application's entry field processing mechanism. The flaw exists in the server-side script that handles user submissions, creating an avenue for malicious actors to execute arbitrary code within the context of other users' browsers.
The technical exploitation of this vulnerability occurs when an attacker submits malicious content through the entry field parameter of the addentry.cgi script. The application fails to properly sanitize or escape user input before processing and storing it, allowing the injection of HTML tags, JavaScript code, and Server-Side Includes directives. This injection capability enables attackers to craft malicious payloads that can execute in the victim's browser when other users view the affected entries, creating a persistent cross-site scripting vector.
From an operational impact perspective, this vulnerability poses significant risks to the confidentiality and integrity of user data within the ZAP application environment. The ability to inject arbitrary scripts means attackers can potentially steal session cookies, redirect users to malicious sites, deface web pages, or perform actions on behalf of authenticated users. The vulnerability affects the application's core functionality by compromising the trust model between users and the system, potentially leading to unauthorized access to sensitive information and system compromise.
The exploitation of CVE-2002-2377 aligns with ATT&CK technique T1566.001 for initial access through malicious HTML email and T1548.001 for privilege escalation through code injection. Organizations using ZAP 1.0.3 should implement immediate mitigations including input validation and output encoding for all user-supplied data. The recommended approach involves sanitizing all input parameters, implementing proper HTML escaping mechanisms, and deploying web application firewalls to detect and block malicious payloads. Additionally, upgrading to patched versions of the ZAP application or implementing proper parameter validation in the addentry.cgi script would provide effective remediation against this vulnerability.