CVE-2006-6356

Multiple cross-site scripting (XSS) vulnerabilities in templates/link_temp.php in PHPNews 1.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) url, (2) id, (3) subject, (4) username, or (5) time parameter.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/23214	Vendor Advisory
http://securityreason.com/securityalert/1994
http://www.securityfocus.com/archive/1/453321/100/0/threaded
http://www.securityfocus.com/bid/21404	Vendor Advisory
http://www.vupen.com/english/advisories/2006/4826
https://exchange.xforce.ibmcloud.com/vulnerabilities/30664

Configurations

Configuration 1 (hide)

cpe:2.3:a:phpnews:phpnews:1.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2006-12-07 01:28

Updated : 2024-02-04 17:13

NVD link : CVE-2006-6356

Mitre link : CVE-2006-6356

CVE.ORG link : CVE-2006-6356

JSON object : View

Products Affected

phpnews

phpnews

CWE

NVD-CWE-Other

{"id": "CVE-2006-6356", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2006-12-07T01:28:00.000", "references": [{"url": "http://secunia.com/advisories/23214", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://securityreason.com/securityalert/1994", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/453321/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/21404", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2006/4826", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30664", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in templates/link_temp.php in PHPNews 1.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) url, (2) id, (3) subject, (4) username, or (5) time parameter."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en templates/link_temp.php en PHPNews 1.3.0 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) url, (2) id, (3) subject, (4) username o (5) time."}], "lastModified": "2018-10-17T21:47:54.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:phpnews:phpnews:1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5AB303F1-00E0-4B0B-9691-DE9283107574"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org", "evaluatorSolution": "Successful exploitation requires that \"register_globals\" is enabled."}