CVE-2006-1120 - Secunia Advisories - Vulnerability Information

CVE Reference: CVE-2006-1120
NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE: CVE-2006-1120

Description: Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6.1.1 and earlier, with register_globals enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) its_url parameter in the documents page and (2) url parameter in the send_write page of (a) index.php; (3) subject, and (4) images parameters to (b) calendar.php; (5) bid, (6) replying_msg, (7) subject, (8) body, and (9) mid parameters to (c) forums.php; (10) subject and (11) message parameters to (d) inbox.php; (12) subject_color and (13) email parameters to (e) lostpassword.php; and the (14) c_name, (15) content_inicial, and (16) cid parameters to (f) mycontents.php. NOTE: the calendar.php/day vector is already subsumed by CVE-2006-0220, and the calendar.php/month, calendar.php/year, and search.php/q parameters for calendar.php are already subsumed by CVE-2004-2511.

CVE Status: Candidate

References: XF http://xforce.iss.net/xforce/xfdb/25279 SREASON http://securityreason.com/securityalert/392 OSVDB 23980 23979 23978 23977 23976 23981 MISC http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-001.txt BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/427175/100/0/threaded BID 17050

Return to the previous page.