CVE-2006-2545

Multiple cross-site scripting (XSS) vulnerabilities in Xtreme Topsites 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in stats.php and (2) unspecified inputs in lostid.php, probably the searchthis parameter. NOTE: one or more of these vectors might be resultant from SQL injection.

CVSS v2.0 2.6 LOW

2.6^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/18055
http://secunia.com/advisories/20192	Vendor Advisory
http://www.osvdb.org/25702
http://securityreason.com/securityalert/945
http://www.vupen.com/english/advisories/2006/1899	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/26614
http://www.securityfocus.com/archive/1/434568/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:xtreme_scripts:xtreme_topsites:1.1:*:*:*:*:*:*:*

Information

Published : 2006-05-23 03:06

Updated : 2018-10-18 09:40

NVD link : CVE-2006-2545

Mitre link : CVE-2006-2545

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

xtreme_scripts

xtreme_topsites

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/18055", "name": "18055", "tags": [], "refsource": "BID"}, {"url": "http://secunia.com/advisories/20192", "name": "20192", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.osvdb.org/25702", "name": "25702", "tags": [], "refsource": "OSVDB"}, {"url": "http://securityreason.com/securityalert/945", "name": "945", "tags": [], "refsource": "SREASON"}, {"url": "http://www.vupen.com/english/advisories/2006/1899", "name": "ADV-2006-1899", "tags": ["Vendor Advisory"], "refsource": "VUPEN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26614", "name": "topsites-stats-join-lostid-xss(26614)", "tags": [], "refsource": "XF"}, {"url": "http://www.securityfocus.com/archive/1/434568/100/0/threaded", "name": "20060519 Xtremescripts Topsites v1.1", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Xtreme Topsites 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in stats.php and (2) unspecified inputs in lostid.php, probably the searchthis parameter. NOTE: one or more of these vectors might be resultant from SQL injection."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2006-2545", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2006-05-23T10:06Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:xtreme_scripts:xtreme_topsites:1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-18T16:40Z"}