CVE-2006-1120
CVE-2006-1120
Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6.1.1 and earlier, with register_globals enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) its_url parameter in the documents page and (2) url parameter in the send_write page of (a) index.php; (3) subject, and (4) images parameters to (b) calendar.php; (5) bid, (6) replying_msg, (7) subject, (8) body, and (9) mid parameters to (c) forums.php; (10) subject and (11) message parameters to (d) inbox.php; (12) subject_color and (13) email parameters to (e) lostpassword.php; and the (14) c_name, (15) content_inicial, and (16) cid parameters to (f) mycontents.php. NOTE: the calendar.php/day vector is already subsumed by CVE-2006-0220, and the calendar.php/month, calendar.php/year, and search.php/q parameters for calendar.php are already subsumed by CVE-2004-2511.
Affected products
n/a · n/apublic PoCs found — 6
exploitdbwww.exploit-db.com/exploits/27391unverifiedexploitdbwww.exploit-db.com/exploits/27392unverifiedexploitdbwww.exploit-db.com/exploits/27393unverifiedexploitdbwww.exploit-db.com/exploits/27390unverifiedexploitdbwww.exploit-db.com/exploits/27394unverifiedexploitdbwww.exploit-db.com/exploits/27395unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://securityreason.com/securityalert/392https://exchange.xforce.ibmcloud.com/vulnerabilities/25279http://www.osvdb.org/23976http://www.osvdb.org/23977http://www.osvdb.org/23978http://www.osvdb.org/23979http://www.osvdb.org/23980http://www.osvdb.org/23981http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-001.txthttp://www.securityfocus.com/archive/1/427175/100/0/threadedhttp://www.securityfocus.com/bid/17050