CVE-2006-5791

Multiple cross-site scripting (XSS) vulnerabilities in elogd.c in ELOG 2.6.2 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the filename for downloading, which is not quoted in an error message by the send_file_direct function, and (2) the Type or Category values in a New entry, which is not properly handled in an error message by the submit_elog function.

CVSS v2.0 2.6 LOW

2.6^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392016
http://www.securityfocus.com/bid/20881
http://www.securityfocus.com/bid/20882
http://secunia.com/advisories/22638	Vendor Advisory
http://www.debian.org/security/2006/dsa-1242
http://secunia.com/advisories/23580
http://www.vupen.com/english/advisories/2006/4315
https://exchange.xforce.ibmcloud.com/vulnerabilities/29986

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:stefan_ritt:elog_web_logbook:*:*:*:*:*:*:*:*

Information

Published : 2006-11-07 15:07

Updated : 2017-07-19 18:33

NVD link : CVE-2006-5791

Mitre link : CVE-2006-5791

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

stefan_ritt

elog_web_logbook

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392016", "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392016", "tags": [], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/20881", "name": "20881", "tags": [], "refsource": "BID"}, {"url": "http://www.securityfocus.com/bid/20882", "name": "20882", "tags": [], "refsource": "BID"}, {"url": "http://secunia.com/advisories/22638", "name": "22638", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.debian.org/security/2006/dsa-1242", "name": "DSA-1242", "tags": [], "refsource": "DEBIAN"}, {"url": "http://secunia.com/advisories/23580", "name": "23580", "tags": [], "refsource": "SECUNIA"}, {"url": "http://www.vupen.com/english/advisories/2006/4315", "name": "ADV-2006-4315", "tags": [], "refsource": "VUPEN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29986", "name": "elog-nonexistent-files-xss(29986)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in elogd.c in ELOG 2.6.2 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the filename for downloading, which is not quoted in an error message by the send_file_direct function, and (2) the Type or Category values in a New entry, which is not properly handled in an error message by the submit_elog function."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2006-5791", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2006-11-07T23:07Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:stefan_ritt:elog_web_logbook:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "2.6.2"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-07-20T01:33Z"}