Vulnerability CVE-2006-1277


Published: 2006-03-19   Modified: 2011-03-07

Description:
Cross-site scripting (XSS) vulnerability in signup.php in @1 File Store 2006.03.07 allows remote attackers to inject arbitrary web script or HTML via the (1) real_name, (2) email, and (3) login parameters.

Vendor: Upoint
Product: At1 file store 
Version: 2006.03.07;

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

 References:
http://www.vupen.com/english/advisories/2006/0943
http://www.securityfocus.com/bid/17090
http://www.securityfocus.com/archive/1/archive/1/428659/100/0/threaded
http://www.osvdb.org/23850
http://securitytracker.com/id?1015826
http://secunia.com/advisories/19224
http://evuln.com/vulns/95/summary.html
http://xforce.iss.net/xforce/xfdb/25182

Related CVE
CVE-2006-1436
Multiple cross-site scripting (XSS) vulnerabilities in UPOINT @1 Event Publisher allow remote attackers to inject arbitrary web script or HTML via the (1) Event, (2) Description, (3) Time, (4) Website, and (5) Public Remarks fields to (a) eventpublis...
CVE-2006-1437
UPOINT @1 Event Publisher stores sensitive information under the web document root with insufifcient access control, which allows remote attackers to read private comments via a direct request to eventpublisher.txt.
CVE-2006-1278
SQL injection vulnerability in @1 File Store 2006.03.07 allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) functions.php and (2) user.php in the libs directory, (3) edit.php and (4) delete.php in control/files/, (5)...

Copyright 2017, cxsecurity.com

 

Back to Top