CVE-2006-6386

Cross-site scripting (XSS) vulnerability in the CVS management/tracker 4.7.x-1.0, 4.7.x-2.0, and 4.7.0 (before the 20060807 contribution release system) for Drupal allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page, which is not passed through check_markup on display.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://drupal.org/node/101540	Patch Vendor Advisory
http://secunia.com/advisories/23261	Patch Vendor Advisory
http://www.securityfocus.com/bid/21455
http://www.vupen.com/english/advisories/2006/4870
https://exchange.xforce.ibmcloud.com/vulnerabilities/30748

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:cvs_management_and_tracker:4.7_1.0:::::::*
	cpe:2.3:a:drupal:cvs_management_and_tracker:4.7_2.0:::::::*

History

No history.

Information

Published : 2006-12-08 01:28

Updated : 2017-07-29 01:29

NVD link : CVE-2006-6386

Mitre link : CVE-2006-6386

CVE.ORG link : CVE-2006-6386

JSON object : View

Products Affected

drupal

cvs_management_and_tracker

CWE

NVD-CWE-Other

{"id": "CVE-2006-6386", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2006-12-08T01:28:00.000", "references": [{"url": "http://drupal.org/node/101540", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/23261", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/21455", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2006/4870", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30748", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the CVS management/tracker 4.7.x-1.0, 4.7.x-2.0, and 4.7.0 (before the 20060807 contribution release system) for Drupal allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page, which is not passed through check_markup on display."}, {"lang": "es", "value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el administrador/seguidor de CVS 4,7.x-1.0, 4.7.x-2.0, y 4.7.0 (anterior al sistema de publicaci\u00f3n de contribuciones del 07/08/2006) para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del campo motivation en la p\u00e1gina de solicitud CVS, la cual no se pasa por check_markup (comprobar etiquetado) al mostrarse."}], "lastModified": "2017-07-29T01:29:30.797", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:cvs_management_and_tracker:4.7_1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AD84146-FAAF-48C6-8DBB-9F2B8141AAA5"}, {"criteria": "cpe:2.3:a:drupal:cvs_management_and_tracker:4.7_2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17E53FC4-411F-4C79-84C3-9B8627FF871C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}