CVE-2006-0657 - Cross-site scripting (XSS) vulnerability in Softcomplex PHP Event Calendar 1.5 allows remote authent

CVE-2006-0657

Summary

Cross-site scripting (XSS) vulnerability in Softcomplex PHP Event Calendar 1.5 allows remote authenticated users to inject arbitrary web script or HTML, and corrupt data, via the (1) username and (2) password parameters, which are not sanitized before being written to users.php. NOTE: while this issue was originally reported as XSS, the primary issue might be direct static code injection with resultant XSS.

References

Vulnerable Configurations

cpe:2.3:a:softcomplex:php_event_calendar:1.5:*:*:*:*:*:*:*
cpe:2.3:a:softcomplex:php_event_calendar:1.5:*:*:*:*:*:*:*

CVSS

Base:	3.5 (as of 20-07-2017 - 01:29)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:S/C:N/I:P/A:N

refmap via4

bid	16588
misc	http://evuln.com/vulns/63/summary.html
osvdb	23071 23072
secunia	18792
sreason	442
vupen	ADV-2006-0507
xf	phpeventcalendar-users-xss(24523)

Last major update

20-07-2017 - 01:29

Published

13-02-2006 - 11:06

Last modified

20-07-2017 - 01:29