Executive Summary

Informations
Name CVE-2006-1120 First vendor Publication 2006-03-09
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Cvss Base Score 2.6 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6.1.1 and earlier, with register_globals enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) its_url parameter in the documents page and (2) url parameter in the send_write page of (a) index.php; (3) subject, and (4) images parameters to (b) calendar.php; (5) bid, (6) replying_msg, (7) subject, (8) body, and (9) mid parameters to (c) forums.php; (10) subject and (11) message parameters to (d) inbox.php; (12) subject_color and (13) email parameters to (e) lostpassword.php; and the (14) c_name, (15) content_inicial, and (16) cid parameters to (f) mycontents.php. NOTE: the calendar.php/day vector is already subsumed by CVE-2006-0220, and the calendar.php/month, calendar.php/year, and search.php/q parameters for calendar.php are already subsumed by CVE-2004-2511.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1120

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 13

Open Source Vulnerability Database (OSVDB)

Id Description
23981 DCP-Portal mycontents.php Multiple Parameter XSS

DCP-Portal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'c_name', 'content_inicial', and 'cid' variables upon submission to the mycontents.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
23980 DCP-Portal lostpassword.php Multiple Parameter XSS

DCP-Portal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'subject_color' and 'email' variables upon submission to the lostpassword.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
23979 DCP-Portal inbox.php Multiple Parameter XSS

DCP-Portal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'subject' and 'message' variables upon submission to the inbox.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
23978 DCP-Portal forums.php Multiple Parameter XSS

DCP-Portal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'bid', 'replying_msg', 'subject', 'body', and 'mid' variables upon submission to the forums.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
23977 DCP-Portal calendar.php Multiple Parameter XSS

DCP-Portal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'subject' and 'images' variables upon submission to the calendar.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
23976 DCP-Portal index.php Multiple Parameter XSS

DCP-Portal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'its_url' variable the documents page and the 'url' variable in the send_write page, via the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Sources (Detail)

http://securityreason.com/securityalert/392
http://www.osvdb.org/23976
http://www.osvdb.org/23977
http://www.osvdb.org/23978
http://www.osvdb.org/23979
http://www.osvdb.org/23980
http://www.osvdb.org/23981
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-001.txt
http://www.securityfocus.com/archive/1/427175/100/0/threaded
http://www.securityfocus.com/bid/17050
https://exchange.xforce.ibmcloud.com/vulnerabilities/25279
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
Date Informations
2024-11-28 23:20:57
  • Multiple Updates
2024-11-28 12:08:27
  • Multiple Updates
2021-05-04 12:03:46
  • Multiple Updates
2021-04-22 01:04:19
  • Multiple Updates
2020-05-23 00:17:29
  • Multiple Updates
2018-10-18 21:20:00
  • Multiple Updates
2017-07-20 09:23:24
  • Multiple Updates
2016-06-28 15:39:18
  • Multiple Updates
2013-05-11 10:51:13
  • Multiple Updates