CVE-2006-4256 - OpenCVE

index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka "cross-site referencing." NOTE: some sources have referred to this issue as XSS, but it is different than classic XSS.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Horde	Application Framework

Configuration 1 [-]

OR	cpe:2.3:a:horde:application_framework:3.0:::::::*
	cpe:2.3:a:horde:application_framework:3.0.1:::::::*
	cpe:2.3:a:horde:application_framework:3.0.2:::::::*
	cpe:2.3:a:horde:application_framework:3.0.3:::::::*
	cpe:2.3:a:horde:application_framework:3.0.4:::::::*
	cpe:2.3:a:horde:application_framework:3.0.4_rc1:::::::*
	cpe:2.3:a:horde:application_framework:3.0.4_rc2:::::::*
	cpe:2.3:a:horde:application_framework:3.0.6:::::::*
	cpe:2.3:a:horde:application_framework:3.0.7:::::::*
	cpe:2.3:a:horde:application_framework:3.0.8:::::::*
	cpe:2.3:a:horde:application_framework:3.0.9:::::::*
	cpe:2.3:a:horde:application_framework:3.1:::::::*
	cpe:2.3:a:horde:application_framework:3.1.1:::::::*

References

Link	Resource
http://lists.horde.org/archives/announce/2006/000292.html
http://secunia.com/advisories/21500	Vendor Advisory
http://secunia.com/advisories/27565
http://securityreason.com/securityalert/1422
http://securitytracker.com/id?1016713
http://www.debian.org/security/2007/dsa-1406
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2456
http://www.securityfocus.com/archive/1/443360/100/0/threaded
http://www.vupen.com/english/advisories/2006/3309
https://exchange.xforce.ibmcloud.com/vulnerabilities/28411

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2006-08-21T20:00:00

Updated: 2018-10-17T20:57:01

Reserved: 2006-08-21T00:00:00

Link: CVE-2006-4256

JSON object: View

NVD Information

Status : Modified

Published: 2006-08-21T20:04:00.000

Modified: 2018-10-17T21:34:16.910

Link: CVE-2006-4256

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-08-16T00:00:00", "descriptions": [{"lang": "en", "value": "index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka \"cross-site referencing.\" NOTE: some sources have referred to this issue as XSS, but it is different than classic XSS."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2456"}, {"name": "[horde-announce] 20060817 Horde 3.1.3 (final)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.horde.org/archives/announce/2006/000292.html"}, {"name": "27565", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27565"}, {"name": "1422", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/1422"}, {"name": "20060816 [scip_Advisory 2456] Horde Framework and Horde IMP /index.php cross site referencing", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/443360/100/0/threaded"}, {"name": "21500", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/21500"}, {"name": "ADV-2006-3309", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/3309"}, {"name": "DSA-1406", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2007/dsa-1406"}, {"name": "horde-index-xss(28411)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28411"}, {"name": "1016713", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1016713"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-4256", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka \"cross-site referencing.\" NOTE: some sources have referred to this issue as XSS, but it is different than classic XSS."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2456", "refsource": "MISC", "url": "http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2456"}, {"name": "[horde-announce] 20060817 Horde 3.1.3 (final)", "refsource": "MLIST", "url": "http://lists.horde.org/archives/announce/2006/000292.html"}, {"name": "27565", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/27565"}, {"name": "1422", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/1422"}, {"name": "20060816 [scip_Advisory 2456] Horde Framework and Horde IMP /index.php cross site referencing", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/443360/100/0/threaded"}, {"name": "21500", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/21500"}, {"name": "ADV-2006-3309", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/3309"}, {"name": "DSA-1406", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2007/dsa-1406"}, {"name": "horde-index-xss(28411)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28411"}, {"name": "1016713", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1016713"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-4256", "datePublished": "2006-08-21T20:00:00", "dateReserved": "2006-08-21T00:00:00", "dateUpdated": "2018-10-17T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:horde:application_framework:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "CEC8BBFC-263E-4735-847D-5544D18922E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "8DB1F389-5D64-4B8C-B207-7D23F0C12DBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "BE8892DF-11F2-4991-97E8-D561DEAC4F5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "3B46B6F5-055E-44EB-BB78-503811C0E57C", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "66B197B0-F3B7-40D6-9872-C1A94622C242", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.4_rc1:*:*:*:*:*:*:*", "matchCriteriaId": "BAEAAF02-1B61-421A-887C-107B7234262B", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.4_rc2:*:*:*:*:*:*:*", "matchCriteriaId": "01557585-CE92-49FB-B9BB-AAAE7D355BE9", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "2698E2D7-09BF-4490-B362-4245CD3087D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "A3B40A46-117D-4D85-8CC8-27236A3280C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "FEFBECFF-D1A4-465D-B59F-E70246DE4BE7", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "57ABD1BD-6676-4B54-9F3E-FACF1346794F", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "79EC6167-5D16-4236-8EBC-412EE1784802", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:application_framework:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "5A4F6A2A-05B6-42EA-8F61-D0AB610A6757", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka \"cross-site referencing.\" NOTE: some sources have referred to this issue as XSS, but it is different than classic XSS."}, {"lang": "es", "value": "index.php en Horde Application Framework anerior a 3.1.2 permite a atacantes remotos incluir p\u00e1ginas web de otros sitios, lo que podr\u00eda ser \u00fatil para ataques de phishing, mediante una URL en el par\u00e1metro url, tambi\u00e9n conocido como \"referencia en sitios cruzados\" (cross-site referencing). NOTA: algunas fuetnes se han referido a este problema como XSS, pero es diferente del cl\u00e1sico XSS."}], "id": "CVE-2006-4256", "lastModified": "2018-10-17T21:34:16.910", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-08-21T20:04:00.000", "references": [{"source": "cve@mitre.org", "url": "http://lists.horde.org/archives/announce/2006/000292.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/21500"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/27565"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/1422"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1016713"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2007/dsa-1406"}, {"source": "cve@mitre.org", "url": "http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2456"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/443360/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/3309"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28411"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}