CVE-2006-3363
published 2006-07-06CVE-2006-3363: PHP remote file inclusion vulnerability in index.php in the Glossaire module 1.7 for Xoops allows remote attackers to execute arbitrary PHP code via a URL in…
PriorityP336medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
3.25%
86.8th percentile
PHP remote file inclusion vulnerability in index.php in the Glossaire module 1.7 for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the pa parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cakephp | cakephp | >= 1.0.1.2708 < 1.1.7.3363 | 1.1.7.3363 |
| xoops | xoops_glossaire_module | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6vx-9v3f-3769: PHP remote file inclusion vulnerability in index
ghsa_unreviewed·2022-05-01
CVE-2006-3363 [MEDIUM] GHSA-r6vx-9v3f-3769: PHP remote file inclusion vulnerability in index
PHP remote file inclusion vulnerability in index.php in the Glossaire module 1.7 for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the pa parameter.
GHSA
Cross-site scripting (XSS) vulnerability in CakePHP
ghsa·2022-05-01
CVE-2006-4067 [MEDIUM] CWE-79 Cross-site scripting (XSS) vulnerability in CakePHP
Cross-site scripting (XSS) vulnerability in CakePHP
Cross-site scripting (XSS) vulnerability in cake/libs/error.php in CakePHP before 1.1.7.3363 allows remote attackers to inject arbitrary web script or HTML via the URL, which is reflected back in a 404 (\"Not Found\") error page. NOTE: some of these details are obtained from third party information.
No detection rules found.
Exploit-DB
CakePHP 1.1.7.3363 - 'Vendors.php' Directory Traversal
exploitdb·2006-09-22
CVE-2006-5031 CakePHP 1.1.7.3363 - 'Vendors.php' Directory Traversal
CakePHP 1.1.7.3363 - 'Vendors.php' Directory Traversal
---
source: https://www.securityfocus.com/bid/20150/info
CakePHP is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid in further attacks.
Version 1.1.7.3633 is vulnerable; earlier versions may also be affected.
http://www.example.com/js/vendors.php?file=../../../../[file]%00foobar.js
Exploit-DB
Glossaire 1.7 - Remote File Inclusion
exploitdb·2006-07-03
CVE-2006-3363 Glossaire 1.7 - Remote File Inclusion
Glossaire 1.7 - Remote File Inclusion
---
source: https://www.securityfocus.com/bid/18792/info
Glossaire is prone to a remote file-include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit this issue to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and gain access to the underlying system.
www.example.com/grossaire/index.php?pa=[evil_script]
No writeups or analysis indexed.
http://securityreason.com/securityalert/1195http://securitytracker.com/id?1016425http://www.securityfocus.com/archive/1/438939/100/0/threadedhttp://www.securityfocus.com/bid/18792https://exchange.xforce.ibmcloud.com/vulnerabilities/27543http://securityreason.com/securityalert/1195http://securitytracker.com/id?1016425http://www.securityfocus.com/archive/1/438939/100/0/threadedhttp://www.securityfocus.com/bid/18792https://exchange.xforce.ibmcloud.com/vulnerabilities/27543
2006-07-06
Published