NVD Vulnerability Detail

CVE-2006-6824

Summary	Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) getdate parameter in (a) day.php, (b) month.php, (c) year.php, (d) week.php, (e) search.php, (f) rss/index.php, (g) print.php, and (h) preferences.php; the (2) cpath parameter in (i) day.php, (j) month.php, (k) year.php, (l) week.php, and (m) search.php; the (3) query parameter in search.php; and possibly the cpath, (4) unset, and (5) set parameters in a setcookie action in preferences.php; different vectors than CVE-2006-3319. NOTE: it was later reported that vectors b, c, and d also affect 2.24.
Publication Date	Dec. 29, 2006, 8:28 p.m.
Registration Date	Jan. 29, 2021, 3:52 p.m.
Last Update	Oct. 18, 2018, 6:49 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:php_icalendar:php_icalendar:1.1:::::::*
cpe:2.3:a:php_icalendar:php_icalendar:2.2_beta:::::::*
cpe:2.3:a:php_icalendar:php_icalendar:2.22:::::::*
cpe:2.3:a:php_icalendar:php_icalendar::::::::		2.23_rc1
cpe:2.3:a:php_icalendar:php_icalendar:2.24:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://lostmon.blogspot.com/2006/12/php-icalendar-multiple-variable-cross.html	MISC	Exploit
2	http://secunia.com/advisories/23499	SECUNIA	Vendor Advisory
3	http://securitytracker.com/id?1017449	SECTRACK	Exploit
4	http://www.osvdb.org/32493	OSVDB
5	http://www.osvdb.org/32494	OSVDB
6	http://www.osvdb.org/32495	OSVDB
7	http://www.osvdb.org/32496	OSVDB
8	http://www.osvdb.org/32497	OSVDB
9	http://www.osvdb.org/32498	OSVDB
10	http://www.osvdb.org/32499	OSVDB
11	http://www.osvdb.org/32500	OSVDB
12	http://www.securityfocus.com/archive/1/485397/100/200/threaded	BUGTRAQ
13	http://www.securityfocus.com/bid/21792	BID	Exploit
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/31146	XF

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

Jim Hu and Chad Little PHP iCalendar におけるクロスサイトスクリプティングの脆弱性

Title	Jim Hu and Chad Little PHP iCalendar におけるクロスサイトスクリプティングの脆弱性
Summary	Jim Hu and Chad Little PHP iCalendar には、クロスサイトスクリプティングの脆弱性が存在します。本脆弱性は、CVE-2006-3319 とは異なる脆弱性です。
Possible impacts	第三者により、以下を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (1) day.php、month.php、year.php、week.php、search.php、rss/index.php、print.php、および preferences.php 内の getdate パラメータ (2) day.php、month.php、year.php、week.php、および search.php 内の cpath パラメータ (3) search.php 内の query パラメータ (4) preferences.php 内の setcookie アクションの cpath unset パラメータ (5) preferences.php 内の setcookie アクションの cpath set パラメータ
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 29, 2006, midnight
Registration Date	Sept. 25, 2012, 3:36 p.m.
Last Update	Sept. 25, 2012, 3:36 p.m.

Affected System

phpicalendar

phpicalendar 2.23 rc1 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2006-6824	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6824
National Vulnerability Database (NVD)
2	CVE-2006-6824	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6824

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
phpicalendar
1	Top Page	http://www.phpicalendar.net/

Change Log

No	Changed Details	Date of change
0	[2012年09月25日] 掲載	Feb. 17, 2018, 10:37 a.m.