CVE-2006-0103
published 2006-01-06CVE-2006-0103: TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control…
PriorityP428medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
4.08%
89.4th percentile
TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ralph_capper | tinyphpforum | — | — |
| ralph_capper | tinyphpforum | — | — |
| ralph_capper | tinyphpforum | — | — |
| ralph_capper | tinyphpforum | — | — |
| ralph_capper | tinyphpforum | — | — |
| ralph_capper | tinyphpforum | — | — |
| ralph_capper | tinyphpforum | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cw4v-3f8w-3q3q: Multiple cross-site scripting (XSS) vulnerabilities in Ralph Capper Tiny PHP Forum (TPF) 3
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2006-1898 [MEDIUM] CWE-79 GHSA-cw4v-3f8w-3q3q: Multiple cross-site scripting (XSS) vulnerabilities in Ralph Capper Tiny PHP Forum (TPF) 3
Multiple cross-site scripting (XSS) vulnerabilities in Ralph Capper Tiny PHP Forum (TPF) 3.6 allow remote attackers to inject arbitrary web script or HTML via (1) the uname parameter in a view action in profile.php and (2) a login name. NOTE: the "Access to hash password" issue is already covered by CVE-2006-0103.
GHSA
GHSA-rhfv-qm86-p9jj: TinyPHPForum 3
ghsa_unreviewed·2022-05-01
CVE-2006-0103 [MEDIUM] CWE-200 GHSA-rhfv-qm86-p9jj: TinyPHPForum 3
TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information.
No detection rules found.
No writeups or analysis indexed.
http://evuln.com/vulns/14/summary.htmlhttp://secunia.com/advisories/18293http://securityreason.com/securityalert/320http://securitytracker.com/id?1015436http://www.osvdb.org/22257http://www.securityfocus.com/archive/1/420933/100/0/threadedhttp://www.securityfocus.com/archive/1/431133/100/0/threadedhttp://www.vupen.com/english/advisories/2006/0054https://exchange.xforce.ibmcloud.com/vulnerabilities/24016http://evuln.com/vulns/14/summary.htmlhttp://secunia.com/advisories/18293http://securityreason.com/securityalert/320http://securitytracker.com/id?1015436http://www.osvdb.org/22257http://www.securityfocus.com/archive/1/420933/100/0/threadedhttp://www.securityfocus.com/archive/1/431133/100/0/threadedhttp://www.vupen.com/english/advisories/2006/0054https://exchange.xforce.ibmcloud.com/vulnerabilities/24016
2006-01-06
Published