Fix CVE Details for yabb_xss.nasl [CVE-2004-2402]

Lednerb · February 3, 2021, 4:08pm

There is a mismatch in the current yabb_xss.nasl file between the actual test done and the CVE description.

CVE-2004-2402 is the correct one for the XSS, CVE-2004-2403 covers a CSRF attack that is not handled in the nasl script.

Below you can find the appropriate diff output for patching the script in the repository:

$ diff /var/lib/openvas/plugins/pre2008/yabb_xss.nasl ./fixed-yabb_xss.nasl
6a7,10
> # Sascha Brendel <sascha.brendel@dgc.org>
> # Fixes by Deutsche Gesellschaft fuer Cybersicherheit
> #   - fixed CVE id, CVSS base score and vector according to the correct CVE
> #
35c39
<   script_tag(name:"last_modification", value:"2020-08-24 15:18:35 +0000 (Mon, 24 Aug 2020)");
---
>   script_tag(name:"last_modification", value:"2021-02-03 15:18:35 +0100 (Wed, 03 Feb 2021)");
37c41
<   script_cve_id("CVE-2004-2402", "CVE-2004-2403");
---
>   script_cve_id("CVE-2004-2402");
39,40c43,44
<   script_tag(name:"cvss_base", value:"10.0");
<   script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
---
>   script_tag(name:"cvss_base", value:"4.3");
>   script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");

Please let me know when an update is available.

Best regards,
Sascha Brendel

_ad · February 5, 2021, 8:42am

Hello Sascha,

please note that, although it is an active check just for the XSS vulnerability, it also confirms the existence of the more severe CSRF vulnerability, as they share the same affected versions.

On a GSM you can always overwrite the severity manually, so the 10.0 can be dropped to the desired 4.3 for example.

From my side I see no error here, nor a need of an update of this VT in regards to remove a CVE and decrease the CVSS score. What we could to is decrease the QoD to remote_analysis as those XSS checks are not really reliable. Since it’s quite an aged vulnerability, implementing an updated PoC is out of question, I fear.

Let me know what you think.

Cheers,
Adrian

cfi · February 9, 2021, 7:04am

Thanks for your report / the passed information.

Nevertheless i fully agree with @_ad. If an active VT is checking for a flaw (e.g. CVE-2004-2402) but the very same version (both CVEs are affecting YaBB 1 GOLD SP 1.3.2 and below) is also affecting a different flaw (e.g. CVE-2004-2403) it is absolutely valid and common practice to add both CVEs to this VT even if only one flaw is actively tested.

One thing what could be done is to mention the CSRF vulnerability in the VT in addition to the other two vulnerabilities. This will be done today and should arrive in the feed in the next few days.