Lucene search

[email protected]CVE-2006-3208

HistoryJun 24, 2006 - 1:06 a.m.

CVE-2006-3208

2006-06-2401:06:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

cve-2006-3208

ultimate php board

upb

code injection

remote authentication

php

configuration settings

vulnerability

nvd

8.1 High

AI Score

Confidence

Low

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.5%

JSON

Direct static code injection vulnerability in Ultimate PHP Board (UPB) 1.9.6 and earlier allows remote authenticated administrators to execute arbitrary PHP code via multiple unspecified “configuration fields” in (1) admin_chatconfig.php, (2) admin_configcss.php, (3) admin_config.php, or (4) admin_config2.php, which are stored as configuration settings. NOTE: this issue can be exploited by remote attackers by leveraging other vulnerabilities in UPB.

CPENameOperatorVersion
ultimate_php_board:ultimate_php_boardultimate php boardeq1.9.6
ultimate_php_board:ultimate_php_boardultimate php boardeq1.8
ultimate_php_board:ultimate_php_boardultimate php boardeq1.8.2
ultimate_php_board:ultimate_php_boardultimate php boardeq1.9

CPE	Name	Operator	Version
ultimate_php_board:ultimate_php_board	ultimate php board	eq	1.9.6
ultimate_php_board:ultimate_php_board	ultimate php board	eq	1.8
ultimate_php_board:ultimate_php_board	ultimate php board	eq	1.8.2
ultimate_php_board:ultimate_php_board	ultimate php board	eq	1.9

References

securityreason.com/securityalert/1138

www.kliconsulting.com/users/mbrooks/UPB_0-day.txt

www.securityfocus.com/archive/1/437875/100/0/threaded

8.1 High

AI Score

Confidence

Low

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.5%

JSON