NVD Vulnerability Detail

CVE-2006-5190

Summary	Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php.
Publication Date	Oct. 10, 2006, 1:06 p.m.
Registration Date	Jan. 29, 2021, 3:47 p.m.
Last Update	Oct. 5, 2017, 10:29 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oscommerce:oscommerce:1.1:::::::*
cpe:2.3:a:oscommerce:oscommerce:1.5.1:::::::*
cpe:2.3:a:oscommerce:oscommerce:1.11:::::::*
cpe:2.3:a:oscommerce:oscommerce:1.12:::::::*
cpe:2.3:a:oscommerce:oscommerce:1.13:::::::*
cpe:2.3:a:oscommerce:oscommerce:2.1:::::::*
cpe:2.3:a:oscommerce:oscommerce:2.2_cvs:::::::*
cpe:2.3:a:oscommerce:oscommerce:2.2_ms1:::::::*
cpe:2.3:a:oscommerce:oscommerce:2.2_ms2:::::::*
cpe:2.3:a:oscommerce:oscommerce::::::::		2.2_ms2_2006-08-17
cpe:2.3:a:oscommerce:oscommerce:2.2_ms3:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://lostmon.blogspot.com/2006/10/oscommerce-multiple-scripts-page-param.html	MISC	Exploit
2	http://secunia.com/advisories/22275	SECUNIA	Exploit Vendor Advisory
3	http://securitytracker.com/id?1016979	SECTRACK	Exploit
4	http://www.osvdb.org/29795	OSVDB
5	http://www.osvdb.org/29796	OSVDB
6	http://www.osvdb.org/29797	OSVDB
7	http://www.osvdb.org/29798	OSVDB
8	http://www.osvdb.org/29799	OSVDB
9	http://www.osvdb.org/29800	OSVDB
10	http://www.osvdb.org/29801	OSVDB
11	http://www.osvdb.org/29802	OSVDB
12	http://www.osvdb.org/29803	OSVDB
13	http://www.osvdb.org/29804	OSVDB
14	http://www.osvdb.org/29805	OSVDB
15	http://www.osvdb.org/29806	OSVDB
16	http://www.osvdb.org/29807	OSVDB
17	http://www.osvdb.org/29808	OSVDB
18	http://www.osvdb.org/29809	OSVDB
19	http://www.osvdb.org/29810	OSVDB
20	http://www.osvdb.org/29811	OSVDB
21	http://www.securityfocus.com/bid/20343	BID	Exploit
22	http://www.vupen.com/english/advisories/2006/3917	VUPEN
23	https://exchange.xforce.ibmcloud.com/vulnerabilities/29355	XF
24	https://www.exploit-db.com/exploits/28743/	EXPLOIT-DB
25	https://www.exploit-db.com/exploits/28744/	EXPLOIT-DB
26	https://www.exploit-db.com/exploits/28745/	EXPLOIT-DB
27	https://www.exploit-db.com/exploits/28746/	EXPLOIT-DB
28	https://www.exploit-db.com/exploits/28747/	EXPLOIT-DB
29	https://www.exploit-db.com/exploits/28748/	EXPLOIT-DB
30	https://www.exploit-db.com/exploits/28749/	EXPLOIT-DB
31	https://www.exploit-db.com/exploits/28750/	EXPLOIT-DB
32	https://www.exploit-db.com/exploits/28752/	EXPLOIT-DB
33	https://www.exploit-db.com/exploits/28753/	EXPLOIT-DB
34	https://www.exploit-db.com/exploits/28754/	EXPLOIT-DB
35	https://www.exploit-db.com/exploits/28755/	EXPLOIT-DB
36	https://www.exploit-db.com/exploits/28756/	EXPLOIT-DB
37	https://www.exploit-db.com/exploits/28757/	EXPLOIT-DB
38	https://www.exploit-db.com/exploits/28758/	EXPLOIT-DB
39	https://www.exploit-db.com/exploits/28759/	EXPLOIT-DB

Common Vulnerabilities List

JVN Vulnerability Information

osCommerce Milestone におけるクロスサイトスクリプティングの脆弱性

Title	osCommerce Milestone におけるクロスサイトスクリプティングの脆弱性
Summary	osCommerce Milestone には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、以下のパラメータを介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (a) /admin 配下の banner_manager.php スクリプトの page パラメータ (b) /admin 配下の banner_statistics.php スクリプトの page パラメータ (c) /admin 配下の countries.php スクリプトの page パラメータ (d) /admin 配下の currencies.php スクリプトの page パラメータ (e) /admin 配下の languages.php スクリプトの page パラメータ (f) /admin 配下の manufacturers.php スクリプトの page パラメータ (g) /admin 配下の newsletters.php スクリプトの page パラメータ (h) /admin 配下の orders_status.php スクリプトの page パラメータ (i) /admin 配下の products_attributes.php スクリプトの page パラメータ (j) /admin 配下の products_expected.php スクリプトの page パラメータ (k) /admin 配下の reviews.php スクリプトの page パラメータ (l) /admin 配下の specials.php スクリプトの page パラメータ (m) /admin 配下の stats_products_purchased.php スクリプトの page パラメータ (n) /admin 配下の stats_products_viewed.php スクリプトの page パラメータ (o) /admin 配下の tax_classes.php スクリプトの page パラメータ (p) /admin 配下の tax_rates.php スクリプトの page パラメータ (q) /admin 配下の zones.php スクリプトの page パラメータ (r) admin/geo_zones.php スクリプトの zpage パラメータ
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 10, 2006, midnight
Registration Date	Sept. 25, 2012, 3:36 p.m.
Last Update	Sept. 25, 2012, 3:36 p.m.

Affected System

osCommerce

osCommerce 2.2 Milestone 2 Update 060817

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2006-5190	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5190
National Vulnerability Database (NVD)
2	CVE-2006-5190	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5190

ベンダー情報

No	Name	URL
osCommerce
1	Top Page	http://www.oscommerce.com/

Change Log

No	Changed Details	Date of change
0	[2012年09月25日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oscommerce:oscommerce:1.1:::::::*
cpe:2.3:a:oscommerce:oscommerce:1.5.1:::::::*
cpe:2.3:a:oscommerce:oscommerce:1.11:::::::*
cpe:2.3:a:oscommerce:oscommerce:1.12:::::::*
cpe:2.3:a:oscommerce:oscommerce:1.13:::::::*
cpe:2.3:a:oscommerce:oscommerce:2.1:::::::*
cpe:2.3:a:oscommerce:oscommerce:2.2_cvs:::::::*
cpe:2.3:a:oscommerce:oscommerce:2.2_ms1:::::::*
cpe:2.3:a:oscommerce:oscommerce:2.2_ms2:::::::*
cpe:2.3:a:oscommerce:oscommerce::::::::		2.2_ms2_2006-08-17
cpe:2.3:a:oscommerce:oscommerce:2.2_ms3:::::::*