CVE-2006-6824 Information
Description
Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) getdate parameter in (a) day.php (b) month.php (c) year.php (d) week.php (e) search.php (f) rss/index.php (g) print.php and (h) preferences.php; the (2) cpath parameter in (i) day.php (j) month.php (k) year.php (l) week.php and (m) search.php; the (3) query parameter in search.php; and possibly the cpath (4) unset and (5) set parameters in a setcookie action in preferences.php; different vectors than CVE-2006-3319. NOTE: it was later reported that vectors b c and d also affect 2.24.
Reference
http://lostmon.blogspot.com/2006/12/php-icalendar-multiple-variable-cross.html http://secunia.com/advisories/23499 http://securitytracker.com/id?1017449 http://www.osvdb.org/32493 http://www.osvdb.org/32494 http://www.osvdb.org/32495 http://www.osvdb.org/32496 http://www.osvdb.org/32497 http://www.osvdb.org/32498 http://www.osvdb.org/32499 http://www.osvdb.org/32500 http://www.securityfocus.com/archive/1/485397/100/200/threaded http://www.securityfocus.com/bid/21792 https://exchange.xforce.ibmcloud.com/vulnerabilities/31146
Share on: