{"type": "osvdb", "published": "2006-03-29T04:02:39", "href": "https://vulners.com/osvdb/OSVDB:24271", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "viewCount": 0, "edition": 1, "reporter": "Aliaksandr Hartsuyeu(alex@evuln.com)", "title": "[V]Book index.php Multiple Variable XSS", "affectedSoftware": [{"operator": "eq", "version": "2.0", "name": "[V]Book"}], "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2017-04-28T13:20:21", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-1562"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:12179"]}], "modified": "2017-04-28T13:20:21", "rev": 2}, "vulnersScore": 5.6}, "references": [], "id": "OSVDB:24271", "lastseen": "2017-04-28T13:20:21", "cvelist": ["CVE-2006-1562"], "modified": "2006-03-29T04:02:39", "description": "## Vulnerability Description\n[V]book contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'autor', 'www', 'temat', or 'tresc' variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\n[V]book contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'autor', 'www', 'temat', or 'tresc' variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.vscripts.pl/?id=vbook2\n[Secunia Advisory ID:19448](https://secuniaresearch.flexerasoftware.com/advisories/19448/)\n[Related OSVDB ID: 24270](https://vulners.com/osvdb/OSVDB:24270)\n[Related OSVDB ID: 24272](https://vulners.com/osvdb/OSVDB:24272)\nOther Advisory URL: http://evuln.com/vulns/111/summary.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0208.html\nKeyword: EV0111\nISS X-Force ID: 25521\nFrSIRT Advisory: ADV-2006-1174\n[CVE-2006-1562](https://vulners.com/cve/CVE-2006-1562)\nBugtraq ID: 17319\n", "immutableFields": []}

{"cve": [{"lastseen": "2021-04-21T20:31:07", "description": "Multiple cross-site scripting (XSS) vulnerabilities in index.php in vscripts (aka Kuba Kunkiewicz) [V]Book (aka VBook) 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) autor, (2) www, (3) temat, and (4) tresc parameters.", "edition": 5, "cvss3": {}, "published": "2006-03-31T11:06:00", "title": "CVE-2006-1562", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-1562"], "modified": "2018-10-18T16:33:00", "cpe": ["cpe:/a:vscripts:vbook:2.0"], "id": "CVE-2006-1562", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1562", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vscripts:vbook:2.0:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:17", "bulletinFamily": "software", "cvelist": ["CVE-2006-1563", "CVE-2006-1562", "CVE-2006-1561"], "description": "New eVuln Advisory:\r\n[V]Book Multiple Vulnerabilities\r\nhttp://evuln.com/vulns/111/summary.html\r\n\r\n--------------------Summary----------------\r\neVuln ID: EV0111\r\nCVE: CVE-2006-1561 CVE-2006-1562 CVE-2006-1563\r\nSoftware: [V]Book\r\nSowtware's Web Site: http://www.vscripts.pl/?id=vbook2\r\nVersions: 2.0\r\nCritical Level: Dangerous\r\nType: Multiple Vulnerabilities\r\nClass: Remote\r\nStatus: Unpatched. No reply from developer(s)\r\nPoC/Exploit: Available\r\nSolution: Not Available\r\nDiscovered by: Aliaksandr Hartsuyeu (eVuln.com)\r\n\r\n-----------------Description---------------\r\n1. SQL Injection.\r\n\r\nVulnerable script: index.php\r\n\r\nParameter x is not properly sanitized before being used in SQL query. This can be used to evaluate arbitrary SQL expression.\r\n\r\nCondition: magic_quotes_gpc = off\r\n\r\n\r\n2. Multiple Cross-Site Scripting.\r\n\r\nVulnerable Script: index.php\r\n\r\nParameters autor, www, temat, tresc are not properly sanitized. This can be used to post arbitrary HTML or web script code.\r\n\r\n\r\n3. PHP Code Insertion.\r\n\r\nAdministrator has an ability to edit variable values from config.php file. This can be used to insert arbitrary PHP code into config file which executes by every php-script.\r\n\r\nSystem access is possible.\r\n\r\nCondition: magic_quotes_gpc = off\r\n\r\n\r\n--------------PoC/Exploit----------------------\r\nAvailable at: http://evuln.com/vulns/111/exploit.html\r\n\r\n--------------Solution---------------------\r\nNo Patch available.\r\n\r\n--------------Credit-----------------------\r\nDiscovered by: Aliaksandr Hartsuyeu (eVuln.com)\r\n\r\n\r\nRegards,\r\nAliaksandr Hartsuyeu\r\nhttp://evuln.com - Penetration Testing Services\r\n.\r\n", "edition": 1, "modified": "2006-04-12T00:00:00", "published": "2006-04-12T00:00:00", "id": "SECURITYVULNS:DOC:12179", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12179", "title": "[eVuln] [V]Book Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}