Vulnerabilities > CVE-2006-3366 - Unspecified vulnerability in V3 Chat V3 Chat Beta
Summary
Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
description V3 Chat Instant Messenger search.php Multiple Parameter XSS. CVE-2006-3366. Webapps exploit for php platform id EDB-ID:28071 last seen 2016-02-03 modified 2006-06-20 published 2006-06-20 reporter Luny source https://www.exploit-db.com/download/28071/ title V3 Chat Instant Messenger - search.php Multiple Parameter XSS description V3 Chat Instant Messenger profile.php site_id Parameter XSS. CVE-2006-3366. Webapps exploit for php platform id EDB-ID:28072 last seen 2016-02-03 modified 2006-06-20 published 2006-06-20 reporter Luny source https://www.exploit-db.com/download/28072/ title V3 Chat Instant Messenger - profile.php site_id Parameter XSS description V3 Chat Instant Messenger profileview.php membername Parameter XSS. CVE-2006-3366. Webapps exploit for php platform id EDB-ID:28073 last seen 2016-02-03 modified 2006-06-20 published 2006-06-20 reporter Luny source https://www.exploit-db.com/download/28073/ title V3 Chat Instant Messenger - profileview.php membername Parameter XSS description V3 Chat Instant Messenger mail/index.php id Parameter XSS. CVE-2006-3366. Webapps exploit for php platform id EDB-ID:28068 last seen 2016-02-03 modified 2006-06-20 published 2006-06-20 reporter Luny source https://www.exploit-db.com/download/28068/ title V3 Chat Instant Messenger - mail/index.php id Parameter XSS description V3 Chat Instant Messenger mail/reply.php id Parameter XSS. CVE-2006-3366. Webapps exploit for php platform id EDB-ID:28069 last seen 2016-02-03 modified 2006-06-20 published 2006-06-20 reporter Luny source https://www.exploit-db.com/download/28069/ title V3 Chat Instant Messenger - mail/reply.php id Parameter XSS description V3 Chat Instant Messenger expire.php cust_name Parameter XSS. CVE-2006-3366 . Webapps exploit for php platform id EDB-ID:28074 last seen 2016-02-03 modified 2006-06-20 published 2006-06-20 reporter Luny source https://www.exploit-db.com/download/28074/ title V3 Chat Instant Messenger - expire.php cust_name Parameter XSS description V3 Chat Instant Messenger online.php site_id Parameter XSS. CVE-2006-3366. Webapps exploit for php platform id EDB-ID:28070 last seen 2016-02-03 modified 2006-06-20 published 2006-06-20 reporter Luny source https://www.exploit-db.com/download/28070/ title V3 Chat Instant Messenger - online.php site_id Parameter XSS
References
- http://securitytracker.com/id?1016340
- http://securitytracker.com/id?1016340
- http://www.securityfocus.com/archive/1/437755/100/200/threaded
- http://www.securityfocus.com/archive/1/437755/100/200/threaded
- http://www.securityfocus.com/archive/1/438069/100/200/threaded
- http://www.securityfocus.com/archive/1/438069/100/200/threaded
- http://www.securityfocus.com/bid/18543
- http://www.securityfocus.com/bid/18543
- http://www.vupen.com/english/advisories/2006/2474
- http://www.vupen.com/english/advisories/2006/2474