CVE-2006-0800

Exploit

EPSS 7.48%
Published 20.02.2006 22:02:00
Last modified 03.04.2025 01:03:51
Source cve@mitre.org
Teams watchlist Login
Open Login

Interpretation conflict in PostNuke 0.761 and earlier allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML tags with a trailing "<" character, which is interpreted as a ">" character by some web browsers but bypasses the blacklist protection in (1) the pnVarCleanFromInput function in pnAPI.php, (2) the pnSecureInput function in pnAntiCracker.php, and (3) the htmltext parameter in an edituser operation to user.php.

Affected products Warnungen 0 Metrics 2 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Postnuke Software Foundation ≫ Postnuke Version0.7

Postnuke Software Foundation ≫ Postnuke Version0.62

Postnuke Software Foundation ≫ Postnuke Version0.63

Postnuke Software Foundation ≫ Postnuke Version0.64

Postnuke Software Foundation ≫ Postnuke Version0.70

Postnuke Software Foundation ≫ Postnuke Version0.71

Postnuke Software Foundation ≫ Postnuke Version0.72

Postnuke Software Foundation ≫ Postnuke Version0.73

Postnuke Software Foundation ≫ Postnuke Version0.74

Postnuke Software Foundation ≫ Postnuke Version0.75

Postnuke Software Foundation ≫ Postnuke Version0.75_rc3

Postnuke Software Foundation ≫ Postnuke Version0.76_rc4

Postnuke Software Foundation ≫ Postnuke Version0.76_rc4a

Postnuke Software Foundation ≫ Postnuke Version0.76_rc4b

Postnuke Software Foundation ≫ Postnuke Version0.703

Postnuke Software Foundation ≫ Postnuke Version0.721

Postnuke Software Foundation ≫ Postnuke Version0.726.3

Postnuke Software Foundation ≫ Postnuke Version0.761

Postnuke Software Foundation ≫ Postnuke Version0.761a

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	7.48%	0.909

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	2.6	4.9	2.9	AV:N/AC:H/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0469.html

http://news.postnuke.com/index.php?name=News&file=article&sid=2754

Patch

http://secunia.com/advisories/18937

Patch

Vendor Advisory

http://securityreason.com/securityalert/454

http://www.securityfocus.com/bid/16752

Patch

Exploit

http://www.vupen.com/english/advisories/2006/0673

Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/24823

https://nvd.nist.gov/vuln/detail/CVE-2006-0800

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2006-0800

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2006-0800

EUVD