CVE-2003-0404

Name of the Vulnerable Software and Affected Versions: Vignette StoryServer versions 4 and 5 Vignette V/5 and V/6

Description: The issue allows remote attackers to insert arbitrary HTML and script via text variables. This can be demonstrated using the errInfo parameter of the default login template, such as "/api/v1/login" or similar endpoints. The vulnerability enables attackers to execute malicious scripts on the client-side.

Recommendations: For Vignette StoryServer versions 4 and 5, and Vignette V/5 and V/6, consider restricting access to the errInfo parameter in the default login template as a temporary workaround until a patch is available. Avoid using the errInfo parameter in affected API endpoints until the issue is resolved.