CVE-2006-0648

Multiple directory traversal vulnerabilities in PHP iCalendar 2.0.1, 2.1, and 2.2 allow remote attackers to include arbitrary files via the (1) getdate and possibly other parameters used in the replace_files function in search.php and (2) $file variable as used in the parse function in functions/template.php.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://evuln.com/vulns/70/summary.html	Exploit Patch Vendor Advisory
http://phpicalendar.net/forums/viewtopic.php?t=396
http://secunia.com/advisories/18778	Patch Vendor Advisory
http://securityreason.com/securityalert/420
http://www.securityfocus.com/archive/1/424424/100/0/threaded
http://www.securityfocus.com/bid/16557
http://www.vupen.com/english/advisories/2006/0493
https://exchange.xforce.ibmcloud.com/vulnerabilities/24591

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php_icalendar:php_icalendar:2.0:::::::*
	cpe:2.3:a:php_icalendar:php_icalendar:2.0.1:::::::*
	cpe:2.3:a:php_icalendar:php_icalendar:2.1:::::::*

History

No history.

Information

Published : 2006-02-13 11:06

Updated : 2024-02-04 16:52

NVD link : CVE-2006-0648

Mitre link : CVE-2006-0648

CVE.ORG link : CVE-2006-0648

JSON object : View

Products Affected

php_icalendar

php_icalendar

CWE

NVD-CWE-Other

{"id": "CVE-2006-0648", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2006-02-13T11:06:00.000", "references": [{"url": "http://evuln.com/vulns/70/summary.html", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://phpicalendar.net/forums/viewtopic.php?t=396", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/18778", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://securityreason.com/securityalert/420", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/424424/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/16557", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2006/0493", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24591", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in PHP iCalendar 2.0.1, 2.1, and 2.2 allow remote attackers to include arbitrary files via the (1) getdate and possibly other parameters used in the replace_files function in search.php and (2) $file variable as used in the parse function in functions/template.php."}], "lastModified": "2018-10-19T15:45:44.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php_icalendar:php_icalendar:2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B902EBA5-32AA-4944-A2CA-321ABB86839D"}, {"criteria": "cpe:2.3:a:php_icalendar:php_icalendar:2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C478599-DCFC-4FEA-BCCF-1E76BD27B1BD"}, {"criteria": "cpe:2.3:a:php_icalendar:php_icalendar:2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "869538E6-ECAA-4768-9368-ECEA2CD9ADEF"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}