Vulnerabilities > CVE-2006-1120 - Cross-Site Scripting vulnerability in DCP Portal

047910
CVSS 2.6 - LOW
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
high complexity
codeworx-technologies
exploit available

Summary

Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6.1.1 and earlier, with register_globals enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) its_url parameter in the documents page and (2) url parameter in the send_write page of (a) index.php; (3) subject, and (4) images parameters to (b) calendar.php; (5) bid, (6) replying_msg, (7) subject, (8) body, and (9) mid parameters to (c) forums.php; (10) subject and (11) message parameters to (d) inbox.php; (12) subject_color and (13) email parameters to (e) lostpassword.php; and the (14) c_name, (15) content_inicial, and (16) cid parameters to (f) mycontents.php. NOTE: the calendar.php/day vector is already subsumed by CVE-2006-0220, and the calendar.php/month, calendar.php/year, and search.php/q parameters for calendar.php are already subsumed by CVE-2004-2511.

Exploit-Db

  • descriptionDCP-Portal 3.7/4.x/5.x/6.x index.php Multiple Parameter XSS. CVE-2006-1120. Webapps exploit for php platform
    idEDB-ID:27390
    last seen2016-02-03
    modified2006-03-09
    published2006-03-09
    reporterNenad Jovanovic
    sourcehttps://www.exploit-db.com/download/27390/
    titleDCP-Portal 3.7/4.x/5.x/6.x index.php Multiple Parameter XSS
  • descriptionDCP-Portal 3.7/4.x/5.x/6.x inbox.php Multiple Parameter XSS. CVE-2006-1120. Webapps exploit for php platform
    idEDB-ID:27393
    last seen2016-02-03
    modified2006-03-09
    published2006-03-09
    reporterNenad Jovanovic
    sourcehttps://www.exploit-db.com/download/27393/
    titleDCP-Portal 3.7/4.x/5.x/6.x inbox.php Multiple Parameter XSS
  • descriptionDCP-Portal 3.7/4.x/5.x/6.x forums.php Multiple Parameter XSS. CVE-2006-1120. Webapps exploit for php platform
    idEDB-ID:27392
    last seen2016-02-03
    modified2006-03-09
    published2006-03-09
    reporterNenad Jovanovic
    sourcehttps://www.exploit-db.com/download/27392/
    titleDCP-Portal 3.7/4.x/5.x/6.x forums.php Multiple Parameter XSS
  • descriptionDCP-Portal 3.7/4.x/5.x/6.x calendar.php Multiple Parameter XSS. CVE-2006-1120. Webapps exploit for php platform
    idEDB-ID:27391
    last seen2016-02-03
    modified2006-03-09
    published2006-03-09
    reporterNenad Jovanovic
    sourcehttps://www.exploit-db.com/download/27391/
    titleDCP-Portal 3.7/4.x/5.x/6.x calendar.php Multiple Parameter XSS
  • descriptionDCP-Portal 3.7/4.x/5.x/6.x mycontents.php Multiple Parameter XSS. CVE-2006-1120 . Webapps exploit for php platform
    idEDB-ID:27395
    last seen2016-02-03
    modified2006-03-09
    published2006-03-09
    reporterNenad Jovanovic
    sourcehttps://www.exploit-db.com/download/27395/
    titleDCP-Portal 3.7/4.x/5.x/6.x mycontents.php Multiple Parameter XSS
  • descriptionDCP-Portal 3.7/4.x/5.x/6.x lostpassword.php Multiple Parameter XSS. CVE-2006-1120 . Webapps exploit for php platform
    idEDB-ID:27394
    last seen2016-02-03
    modified2006-03-09
    published2006-03-09
    reporterNenad Jovanovic
    sourcehttps://www.exploit-db.com/download/27394/
    titleDCP-Portal 3.7/4.x/5.x/6.x lostpassword.php Multiple Parameter XSS