Vulnerability Key Information Vulnerability Name: DeskPRO Admin Panel Multiple HTML Injections Date: 2007.08.21 Risk Level: Low CVE ID: CVE-2007-4413 CWE ID: N/A Local: Yes Remote: Yes Vulnerability Description Type: HTML Injection Impact: Attackers can exploit this vulnerability to execute arbitrary script code within the browser of the affected site, enabling them to steal cookie-based authentication credentials and launch other attacks. Affected Files: - /admincp/ticket_category.php - /admincp/ticket_priority.php - /admincp/ticket_workflow.php - /admincp/ticket_escalate.php - /admincp/fields_ticket.php - /admincp/ticket_rules_web.php - /admincp/ticket_displayfields.php - /admincp/ticket_rules_mail.php - /admincp/fields_user.php - /admincp/fields_faq.php - /admincp/user_help.php Affected Versions: DeskPRO v3.0.2 Beta and earlier versions may be affected. Attack Method: No specialized tools required; attackers can exploit this vulnerability via a web client. Additional Information Submitter: Doz Category: Input Validation Error Severity: Medium Vendor: Headstart Solutions Limited Website**: http://www.deskpro.com/