CVE-2006-6824
PHP iCalendar 1.1/2.x - 'day.php' Cross-Site Scripting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
11Exploited in Wild
-Decision
Descriptions
Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) getdate parameter in (a) day.php, (b) month.php, (c) year.php, (d) week.php, (e) search.php, (f) rss/index.php, (g) print.php, and (h) preferences.php; the (2) cpath parameter in (i) day.php, (j) month.php, (k) year.php, (l) week.php, and (m) search.php; the (3) query parameter in search.php; and possibly the cpath, (4) unset, and (5) set parameters in a setcookie action in preferences.php; different vectors than CVE-2006-3319. NOTE: it was later reported that vectors b, c, and d also affect 2.24.
Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Jim Hu y Chad Little PHP iCalendar 2.23 rc1 y versiones anteriores permite a atacantes remotos inyectar scripts web o HTML de su elección a través de los parámetros (1) getdate en (a) day.php, (b) month.php, (c) year.php, (d) week.php, (e) search.php, (f) rss/index.php, (g) print.php, and (h) preferences.php; (2) cpath en (i) day.php, (j) month.php, (k) year.php, (l) week.php, and (m) search.php; (3) query en search.php; y posiblemente cpath, (4) unset, y (5) set en una acción setcookie en preferences.php; vectores diferentes a CVE-2006-3319. NOTA: posteriormente se ha informado que los vectores b, c y d también afectan a la v2.24.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2006-12-27 First Exploit
- 2006-12-29 CVE Reserved
- 2006-12-29 CVE Published
- 2023-11-02 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (22)
| URL | Tag | Source |
|---|---|---|
| http://www.osvdb.org/32493 | Vdb Entry | |
| http://www.osvdb.org/32494 | Vdb Entry | |
| http://www.osvdb.org/32495 | Vdb Entry | |
| http://www.osvdb.org/32496 | Vdb Entry | |
| http://www.osvdb.org/32497 | Vdb Entry | |
| http://www.osvdb.org/32498 | Vdb Entry | |
| http://www.osvdb.org/32499 | Vdb Entry | |
| http://www.osvdb.org/32500 | Vdb Entry | |
| http://www.securityfocus.com/archive/1/485397/100/200/threaded | Mailing List | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/31146 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/29363 | 2006-12-27 | |
| https://www.exploit-db.com/exploits/29368 | 2006-12-27 | |
| https://www.exploit-db.com/exploits/29364 | 2006-12-27 | |
| https://www.exploit-db.com/exploits/29370 | 2006-12-27 | |
| https://www.exploit-db.com/exploits/29369 | 2006-12-27 | |
| https://www.exploit-db.com/exploits/29367 | 2006-12-27 | |
| https://www.exploit-db.com/exploits/29366 | 2006-12-27 | |
| https://www.exploit-db.com/exploits/29365 | 2006-12-27 | |
| http://lostmon.blogspot.com/2006/12/php-icalendar-multiple-variable-cross.html | 2024-08-07 | |
| http://securitytracker.com/id?1017449 | 2024-08-07 | |
| http://www.securityfocus.com/bid/21792 | 2024-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/23499 | 2018-10-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Php Icalendar Search vendor "Php Icalendar" | Php Icalendar Search vendor "Php Icalendar" for product "Php Icalendar" | <= 2.23_rc1 Search vendor "Php Icalendar" for product "Php Icalendar" and version " <= 2.23_rc1" | - |
Affected
| ||||||
| Php Icalendar Search vendor "Php Icalendar" | Php Icalendar Search vendor "Php Icalendar" for product "Php Icalendar" | 1.1 Search vendor "Php Icalendar" for product "Php Icalendar" and version "1.1" | - |
Affected
| ||||||
| Php Icalendar Search vendor "Php Icalendar" | Php Icalendar Search vendor "Php Icalendar" for product "Php Icalendar" | 2.2_beta Search vendor "Php Icalendar" for product "Php Icalendar" and version "2.2_beta" | - |
Affected
| ||||||
| Php Icalendar Search vendor "Php Icalendar" | Php Icalendar Search vendor "Php Icalendar" for product "Php Icalendar" | 2.22 Search vendor "Php Icalendar" for product "Php Icalendar" and version "2.22" | - |
Affected
| ||||||
| Php Icalendar Search vendor "Php Icalendar" | Php Icalendar Search vendor "Php Icalendar" for product "Php Icalendar" | 2.24 Search vendor "Php Icalendar" for product "Php Icalendar" and version "2.24" | - |
Affected
| ||||||