VAR-200303-0100

Vulnerability from variot - Updated: 2025-04-03 20:30

Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message. When an invalid filename is specified from this page, it is output to an error page without sufficient sanitization of HTML and script code. This may permit cross-site scripting attacks to occur if an attacker constructs a malicious link to the page and can entice web users to visit it. Apple Darwin and QuickTime stream management server is a WEB-based service that allows administrators to manage Darwin and QuickTime stream servers. By default, these services listen to port 1220/TCP with ROOT privileges. The parse_xml.cgi of the Darwin/QuickTime streaming server does not sufficiently filter the non-existing file name parameters. If an attacker passes a non-existent file name parameter to the parse_xml.cgi script, the script will generate an error message and record it. If the parameter provided by the attacker contains malicious script code, the administrator can use the Script code is executed on the browser

Show details on source website
To clipboard 

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200303-0100",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "darwin streaming server",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "apple",
        "version": "4.1.2"
      },
      {
        "model": "quicktime streaming server",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "4.1.1"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "6958"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      },
      {
        "db": "NVD",
        "id": "CVE-2003-0053"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Dave G.\u203b daveg@atstake.com\u203bOllie Whitehouse\u203b ollie@atstake.com",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2003-0053",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CVE-2003-0053",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.0,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-6883",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2003-0053",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200303-042",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-6883",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-6883"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      },
      {
        "db": "NVD",
        "id": "CVE-2003-0053"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message.  When an invalid filename is specified from this page, it is output to an error page without sufficient sanitization of HTML and script code.  This may permit cross-site scripting attacks to occur if an attacker constructs a malicious link to the page and can entice web users to visit it. Apple Darwin and QuickTime stream management server is a WEB-based service that allows administrators to manage Darwin and QuickTime stream servers. By default, these services listen to port 1220/TCP with ROOT privileges. The parse_xml.cgi of the Darwin/QuickTime streaming server does not sufficiently filter the non-existing file name parameters. If an attacker passes a non-existent file name parameter to the parse_xml.cgi script, the script will generate an error message and record it. If the parameter provided by the attacker contains malicious script code, the administrator can use the Script code is executed on the browser",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2003-0053"
      },
      {
        "db": "BID",
        "id": "6958"
      },
      {
        "db": "VULHUB",
        "id": "VHN-6883"
      }
    ],
    "trust": 1.26
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2003-0053",
        "trust": 2.0
      },
      {
        "db": "BID",
        "id": "6958",
        "trust": 2.0
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042",
        "trust": 0.7
      },
      {
        "db": "BUGTRAQ",
        "id": "20030224 QUICKTIME/DARWIN STREAMING ADMINISTRATION SERVER MULTIPLE VULNERABILITIES",
        "trust": 0.6
      },
      {
        "db": "XF",
        "id": "11404",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-6883",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-6883"
      },
      {
        "db": "BID",
        "id": "6958"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      },
      {
        "db": "NVD",
        "id": "CVE-2003-0053"
      }
    ]
  },
  "id": "VAR-200303-0100",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-6883"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2025-04-03T20:30:35.149000Z",
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-Other",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2003-0053"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/6958"
      },
      {
        "trust": 1.7,
        "url": "http://lists.apple.com/archives/security-announce/2003/feb/25/applesa20030225macosx102.txt"
      },
      {
        "trust": 1.7,
        "url": "http://www.iss.net/security_center/static/11404.php"
      },
      {
        "trust": 1.1,
        "url": "http://marc.info/?l=bugtraq\u0026m=104618904330226\u0026w=2"
      },
      {
        "trust": 0.6,
        "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=104618904330226\u0026w=2"
      },
      {
        "trust": 0.3,
        "url": "http://www.info.apple.com/usen/security/security_updates.html"
      },
      {
        "trust": 0.1,
        "url": ""
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-6883"
      },
      {
        "db": "BID",
        "id": "6958"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      },
      {
        "db": "NVD",
        "id": "CVE-2003-0053"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-6883"
      },
      {
        "db": "BID",
        "id": "6958"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      },
      {
        "db": "NVD",
        "id": "CVE-2003-0053"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2003-03-07T00:00:00",
        "db": "VULHUB",
        "id": "VHN-6883"
      },
      {
        "date": "2003-02-24T00:00:00",
        "db": "BID",
        "id": "6958"
      },
      {
        "date": "2003-02-24T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      },
      {
        "date": "2003-03-07T05:00:00",
        "db": "NVD",
        "id": "CVE-2003-0053"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-10-18T00:00:00",
        "db": "VULHUB",
        "id": "VHN-6883"
      },
      {
        "date": "2015-03-19T09:11:00",
        "db": "BID",
        "id": "6958"
      },
      {
        "date": "2005-05-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      },
      {
        "date": "2025-04-03T01:03:51.193000",
        "db": "NVD",
        "id": "CVE-2003-0053"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apple QuickTime/Darwin Streaming Server Parse_XML.CGI Cross-Site Scripting Vulnerability",
    "sources": [
      {
        "db": "BID",
        "id": "6958"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      }
    ],
    "trust": 0.9
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "input validation",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200303-042"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.