| ||
The following entries on the Common Vulnerabilities and Exposures (CVE) web site (http://cve.mitre.org) and elsewhere are examples of XSS vulnerabilities.
For some reason, there is no CVE number for this. An attacker can bypass Lotus Notes HTML encoding in a computed value by adding square ([ and ]) brackets to the beginning and end of a field for some data types. Read more at www.securityfocus.com/bid/11458.
Again, there is no CVE associated with this. Oracles HTTP server is based on Apache 1.3.x, and there is an XSS bug in the isqlplus script that does not properly handle the ˜action, ˜username, and ˜password parameters. An attack might look something like this:
http://[target]/isqlplus?action=logon&username=xyzzy%22% 3e%3cscript%3ealert('X SS')%3c/script%3e\&password=xyzzy%3cscript%3ealert('XSS')%3c/script%3e
Read more at www.securitytracker.com/alerts/2004/Jan/1008838.html.
An XSS vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x before 1.3.26. Read more at http://cert.uni-stuttgart.de/archive/bugtraq/2002/10/msg00017.html.