1. CVE-Search
  2. CVE-2006-3555
ID CVE-2006-3555
Summary Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer.
References
Vulnerable Configurations
  • cpe:2.3:a:php_fusion:php_fusion:6.00.3:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.3:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.100:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.100:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.101:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.101:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.102:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.102:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.103:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.103:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.104:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.104:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.0.105:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.0.105:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.105:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.105:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.0.106:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.0.106:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.106:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.106:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.0.107:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.0.107:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.107:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.107:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.108:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.108:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.109:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.109:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.110:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.110:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.200:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.200:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.204:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.204:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.205:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.205:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.206:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.206:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.207:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.207:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.300:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.300:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.303:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.303:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.304:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.304:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.306:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.306:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.00.307:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.00.307:*:*:*:*:*:*:*
  • cpe:2.3:a:php_fusion:php_fusion:6.01.2:*:*:*:*:*:*:*
    cpe:2.3:a:php_fusion:php_fusion:6.01.2:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 18-10-2018 - 16:47)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
refmap via4
bid 18787
bugtraq 20060701 Php-Fusion (Xss) With Avatar Upload
confirm http://php-fusion.co.uk/news.php
secunia 20904
sreason 1224
vupen ADV-2006-2655
xf phpfusion-avatar-xss(27537)
Last major update 18-10-2018 - 16:47
Published 13-07-2006 - 00:05
Last modified 18-10-2018 - 16:47
Back to Top