CVE-2009-2240

Vulnerability

leger (free edition) from AD2000, a web-based conference room reservation system, contains a cross-site scripting (XSS) vulnerability in versions 1.6.4 and earlier. The vulnerability exists due to unspecified vectors that allow injection of arbitrary web script or HTML. The vendor initially released version 1.6.4 on May 22, 2009 as a security update, but it was found to be insufficient. The vulnerability was fully addressed in version 1.6.5 released on May 26, 2009 [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious input or link that, when accessed by a user, injects arbitrary script or HTML into the user's web browser. The attack can be performed remotely without authentication, but requires user interaction (e.g., clicking a link). The CVSS v2 score of 4.3 (medium) indicates moderate attack complexity [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to information disclosure, session hijacking, or other malicious actions performed on behalf of the user. The impact is limited to the user's browser session; the vulnerability does not directly affect the server's confidentiality or availability [1][2].

Mitigation

Users should update to version 1.6.5 of leger (free edition), released on May 26, 2009, which fully resolves the vulnerability. Version 1.6.4 (May 22, 2009) did not adequately fix the issue. No workarounds are documented in the available references [1][2].