CVE-2005-1782
Description
Multiple cross-site scripting (XSS) vulnerabilities in BookReview beta 1.0 allow remote attackers to inject arbitrary web script or HTML via the node parameter to (1) add_review.htm, (2) suggest_review.htm, (3) suggest_category.htm, (4) add_booklist.htm, or (5) add_url.htm, the isbn parameter to (6) add_review.htm, (7) add_contents.htm, (8) add_classification.htm, the (9) chapters parameter to the add_contents page in index.php (aka add_contents.htm), (10) the user parameter to contact.htm, or (11) the submit[string] parameter to search.htm. NOTE: it is not clear whether BookReview is available to the public. If not, then it should not be included in CVE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in BookReview beta 1.0 allow remote attackers to inject arbitrary script via various parameters.
Vulnerability
BookReview beta 1.0 contains multiple cross-site scripting (XSS) vulnerabilities. The application fails to validate user-supplied input in several parameters across multiple scripts. Affected parameters include node in add_review.htm, suggest_review.htm, suggest_category.htm, add_booklist.htm, and add_url.htm; isbn in add_review.htm, add_contents.htm, and add_classification.htm; chapters in add_contents.htm; user in contact.htm; and submit[string] in search.htm. All files are accessed via index.php with the page parameter or directly via the .htm files [1].
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious URL containing injected script code in any of the vulnerable parameters. No authentication is required; the attacker only needs to trick a victim into clicking the crafted link. For example, a URL like http://[victim]/add_review.htm?isbn=0801052319&node= will execute arbitrary JavaScript in the victim's browser [1].
Impact
Successful exploitation allows remote attackers to execute arbitrary web script or HTML in the context of the victim's browser. This can lead to session hijacking, cookie theft, defacement, or other malicious actions, resulting in a loss of integrity and confidentiality [1].
Mitigation
No official fix or patch was available at the time of disclosure (May 2005). The vendor was notified but no solution was provided. Users are advised to disable or restrict access to the application until a patch is released. The application's availability to the public is unclear [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- cpe:2.3:a:w.m.r._simpson:bookreview:1.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- lostmon.blogspot.com/2005/05/bookreview-10-multiple-variable-xss.htmlnvdExploitVendor Advisory
- securitytracker.com/idnvdVendor Advisory
- www.osvdb.org/16871nvdVendor Advisory
- www.osvdb.org/16872nvdVendor Advisory
- www.osvdb.org/16873nvdVendor Advisory
- www.osvdb.org/16874nvdVendor Advisory
- www.osvdb.org/16875nvdVendor Advisory
- www.osvdb.org/16876nvdVendor Advisory
- www.osvdb.org/16877nvdVendor Advisory
- www.osvdb.org/16878nvdVendor Advisory
- www.osvdb.org/16879nvdVendor Advisory
- www.securityfocus.com/bid/13783nvdVendor Advisory
News mentions
0No linked articles in our index yet.