关键漏洞信息 Vulnerability Note: VU#138538 Vulnerability Type: Cross-site scripting (XSS) Product: WebEOC CVE ID: CVE-2005-2282 Severity Metric: 6.08 CVSS Metrics: Available (Base, Temporal, Environmental) Description Overview: WebEOC contains multiple cross-site scripting vulnerabilities that may allow a remote attacker to inject and execute arbitrary script using a vulnerable WebEOC site. Impact: A remote attacker may execute arbitrary script and retrieve sensitive data, including authentication and medical information. Solution: Upgrade to Version 6.0.2 which addresses this vulnerability by adding validation checks to input fields. Additional Information Vendor Information: The vendor (ESi) is affected. References: - http://www.esi911.com/esi/products/webeoc.shtml - http://www.esi911.com/esi/support/support.htm - http://secunia.com/advisories/16075/ Acknowledgements: Thanks to IOActive and additional information from ESi, and the City of Seattle. Date Information: - Public: 2005-07-13 - First Published: 2005-07-13 - Last Updated: 2005-07-26 UTC Document Revision: 47