Cross-site scripting (XSS) vulnerability in desktop.php in eyeOS 0.8.4 allows remote attackers to inject arbitrary web script or HTML via the motd parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| eyeos_project | eyeos | 0.8.4 |
eyeOS 0.8.4 stores usrinfo.xml under the web document root with insufficient access control, which allows remote attackers to obtain user credentials.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| eyeos_project | eyeos | 0.8.4 |
desktop.php in eyeOS 0.8.9 and earlier tests for the existence of the _SESSION variable before calling the session_start function, which allows remote attackers to execute arbitrary PHP code and possibly conduct other attacks by modifying critical assumed-immutable variables, as demonstrated using PHP code in the _SESSION[apps][eyeOptions.eyeapp][wrapup] variable.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| eyeos_project | eyeos | 0.8.3 |
| eyeos_project | eyeos | 0.8.4_r1 |
| eyeos_project | eyeos | 0.8.7 |
| eyeos_project | eyeos | 0.8.2 |
| eyeos_project | eyeos | 0.8.6 |
| eyeos_project | eyeos | 0.8.2_r2 |
| eyeos_project | eyeos | 0.8.5 |
| eyeos_project | eyeos | 0.8.4 |
| eyeos_project | eyeos | 0.8.1 |
| eyeos_project | eyeos | 0.8.3_r2 |
| eyeos_project | eyeos | 0.8.5_r1 |
| eyeos_project | eyeos | 0.8.8 |
| eyeos_project | eyeos | 0.8.1_r1 |
| eyeos_project | eyeos | 0.8.3_r1 |
| eyeos_project | eyeos | 0.8.9 |
| eyeos_project | eyeos | 0.8.2_r3 |
| eyeos_project | eyeos | 0.8 |
| eyeos_project | eyeos | 0.8.2_r1 |