ID CVE-2006-5190
Summary Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php.
References
Vulnerable Configurations
  • cpe:2.3:a:oscommerce:oscommerce:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:1.11:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:1.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:1.12:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:1.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:1.13:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:1.13:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2_cvs:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2_cvs:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2_ms1:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2_ms1:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2_ms2:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2_ms2:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:-:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2:rc1:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2:rc1:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2:rc2:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2:rc2:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2:rc_2a:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2:rc_2a:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2_ms2_2006-08-17:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2_ms2_2006-08-17:*:*:*:*:*:*:*
  • cpe:2.3:a:oscommerce:oscommerce:2.2_ms3:*:*:*:*:*:*:*
    cpe:2.3:a:oscommerce:oscommerce:2.2_ms3:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 05-10-2017 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
refmap via4
bid 20343
exploit-db
  • 28743
  • 28744
  • 28745
  • 28746
  • 28747
  • 28748
  • 28749
  • 28750
  • 28752
  • 28753
  • 28754
  • 28755
  • 28756
  • 28757
  • 28758
  • 28759
misc http://lostmon.blogspot.com/2006/10/oscommerce-multiple-scripts-page-param.html
osvdb
  • 29795
  • 29796
  • 29797
  • 29798
  • 29799
  • 29800
  • 29801
  • 29802
  • 29803
  • 29804
  • 29805
  • 29806
  • 29807
  • 29808
  • 29809
  • 29810
  • 29811
sectrack 1016979
secunia 22275
vupen ADV-2006-3917
xf oscommerce-page-xss(29355)
Last major update 05-10-2017 - 01:29
Published 10-10-2006 - 04:06
Last modified 05-10-2017 - 01:29
Back to Top