CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
86.6%
Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) getdate parameter in (a) day.php, (b) month.php, © year.php, (d) week.php, (e) search.php, (f) rss/index.php, (g) print.php, and (h) preferences.php; the (2) cpath parameter in (i) day.php, (j) month.php, (k) year.php, (l) week.php, and (m) search.php; the (3) query parameter in search.php; and possibly the cpath, (4) unset, and (5) set parameters in a setcookie action in preferences.php; different vectors than CVE-2006-3319. NOTE: it was later reported that vectors b, c, and d also affect 2.24.
Vendor | Product | Version | CPE |
---|---|---|---|
php_icalendar | php_icalendar | * | cpe:2.3:a:php_icalendar:php_icalendar:*:*:*:*:*:*:*:* |
php_icalendar | php_icalendar | 1.1 | cpe:2.3:a:php_icalendar:php_icalendar:1.1:*:*:*:*:*:*:* |
php_icalendar | php_icalendar | 2.2_beta | cpe:2.3:a:php_icalendar:php_icalendar:2.2_beta:*:*:*:*:*:*:* |
php_icalendar | php_icalendar | 2.22 | cpe:2.3:a:php_icalendar:php_icalendar:2.22:*:*:*:*:*:*:* |
php_icalendar | php_icalendar | 2.24 | cpe:2.3:a:php_icalendar:php_icalendar:2.24:*:*:*:*:*:*:* |
lostmon.blogspot.com/2006/12/php-icalendar-multiple-variable-cross.html
secunia.com/advisories/23499
securitytracker.com/id?1017449
www.osvdb.org/32493
www.osvdb.org/32494
www.osvdb.org/32495
www.osvdb.org/32496
www.osvdb.org/32497
www.osvdb.org/32498
www.osvdb.org/32499
www.osvdb.org/32500
www.securityfocus.com/archive/1/485397/100/200/threaded
www.securityfocus.com/bid/21792
exchange.xforce.ibmcloud.com/vulnerabilities/31146