Vulnerability Details : CVE-2006-5442
ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2006-5442
- cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2006-5442
1.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2006-5442
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
References for CVE-2006-5442
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/29576
IBM X-Force Exchange
-
http://www.securityfocus.com/bid/20543
-
http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD
-
http://viewvc.tigris.org/servlets/ReadMsg?list=announce&msgNo=5&raw=true
-
http://www.securityfocus.com/archive/1/448762/100/0/threaded
-
http://www.hardened-php.net/advisory_102006.134.html
Hardened PHP - Hardened-PHP
-
http://securityreason.com/securityalert/1755
ViewVC Undefined Charset UTF-7 XSS Vulnerability - CXSecurity.com
Jump to