cbcvebase.
CVE-2006-6824
published 2006-12-29

CVE-2006-6824: Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web…

PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.44%
82.2th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) getdate parameter in (a) day.php, (b) month.php, (c) year.php, (d) week.php, (e) search.php, (f) rss/index.php, (g) print.php, and (h) preferences.php; the (2) cpath parameter in (i) day.php, (j) month.php, (k) year.php, (l) week.php, and (m) search.php; the (3) query parameter in search.php; and possibly the cpath, (4) unset, and (5) set parameters in a setcookie action in preferences.php; different vectors than CVE-2006-3319. NOTE: it was later reported that vectors b, c, and d also affect 2.24.

Affected

5 ranges
VendorProductVersion rangeFixed in
php_icalendarphp_icalendar<= 2.23_rc1
php_icalendarphp_icalendar
php_icalendarphp_icalendar
php_icalendarphp_icalendar
php_icalendarphp_icalendar
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.