Lucene search

[email protected]NVD:CVE-2006-6824

HistoryDec 29, 2006 - 11:28 a.m.

CVE-2006-6824

2006-12-2911:28:00

CWE-79

[email protected]

web.nvd.nist.gov

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.8

Confidence

High

EPSS

0.014

Percentile

86.6%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) getdate parameter in (a) day.php, (b) month.php, © year.php, (d) week.php, (e) search.php, (f) rss/index.php, (g) print.php, and (h) preferences.php; the (2) cpath parameter in (i) day.php, (j) month.php, (k) year.php, (l) week.php, and (m) search.php; the (3) query parameter in search.php; and possibly the cpath, (4) unset, and (5) set parameters in a setcookie action in preferences.php; different vectors than CVE-2006-3319. NOTE: it was later reported that vectors b, c, and d also affect 2.24.

Affected configurations

Nvd

Node

php_icalendarphp_icalendarRange≤2.23_rc1

php_icalendarphp_icalendarMatch1.1

php_icalendarphp_icalendarMatch2.2_beta

php_icalendarphp_icalendarMatch2.22

php_icalendarphp_icalendarMatch2.24

VendorProductVersionCPE
php_icalendarphp_icalendar*cpe:2.3:a:php_icalendar:php_icalendar:*:*:*:*:*:*:*:*
php_icalendarphp_icalendar1.1cpe:2.3:a:php_icalendar:php_icalendar:1.1:*:*:*:*:*:*:*
php_icalendarphp_icalendar2.2_betacpe:2.3:a:php_icalendar:php_icalendar:2.2_beta:*:*:*:*:*:*:*
php_icalendarphp_icalendar2.22cpe:2.3:a:php_icalendar:php_icalendar:2.22:*:*:*:*:*:*:*
php_icalendarphp_icalendar2.24cpe:2.3:a:php_icalendar:php_icalendar:2.24:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
php_icalendar	php_icalendar	*	cpe:2.3:a:php_icalendar:php_icalendar::::::::
php_icalendar	php_icalendar	1.1	cpe:2.3:a:php_icalendar:php_icalendar:1.1:::::::*
php_icalendar	php_icalendar	2.2_beta	cpe:2.3:a:php_icalendar:php_icalendar:2.2_beta:::::::*
php_icalendar	php_icalendar	2.22	cpe:2.3:a:php_icalendar:php_icalendar:2.22:::::::*
php_icalendar	php_icalendar	2.24	cpe:2.3:a:php_icalendar:php_icalendar:2.24:::::::*

References

lostmon.blogspot.com/2006/12/php-icalendar-multiple-variable-cross.html

secunia.com/advisories/23499

securitytracker.com/id?1017449

www.osvdb.org/32493

www.osvdb.org/32494

www.osvdb.org/32495

www.osvdb.org/32496

www.osvdb.org/32497

www.osvdb.org/32498

www.osvdb.org/32499

www.osvdb.org/32500

www.securityfocus.com/archive/1/485397/100/200/threaded

www.securityfocus.com/bid/21792

exchange.xforce.ibmcloud.com/vulnerabilities/31146

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.8

Confidence

High

EPSS

0.014

Percentile

86.6%

JSON

Related for NVD:CVE-2006-6824

cve2 cvelist2 exploitdb8 nvd1