CVE-2006-5984 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) txtCompanyName, (2) txtEmail, or (3) txtUserAccNum parameter to (a) users.asp, or the (4) setThemeColour parameter to (b) default.asp in the Reseller and Admin levels; or the (5) setThemeColour parameter to default.asp in the User level. NOTE: the txtDomainName parameter to domains.asp is covered by CVE-2006-1407, which suggests that this vector is fixed in 3.2.10 stable.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Webhost Automation	Helm Web Hosting Control Panel

Configuration 1 [-]

cpe:2.3:a:webhost_automation:helm_web_hosting_control_panel:3.2.10:*:*:*:*:*:*:*

References

Link	Resource
http://aria-security.net/advisory/helm.txt	Vendor Advisory
http://secunia.com/advisories/22916	Vendor Advisory
http://securityreason.com/securityalert/1884
http://securitytracker.com/id?1017240
http://www.securityfocus.com/archive/1/451737/100/0/threaded
http://www.securityfocus.com/archive/1/451848/100/200/threaded
http://www.vupen.com/english/advisories/2006/4557
https://exchange.xforce.ibmcloud.com/vulnerabilities/30309

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2006-11-20T21:00:00

Updated: 2018-10-17T20:57:01

Reserved: 2006-11-20T00:00:00

Link: CVE-2006-5984

JSON object: View

NVD Information

Status : Modified

Published: 2006-11-20T21:07:00.000

Modified: 2018-10-17T21:46:12.983

Link: CVE-2006-5984

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-11-14T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) txtCompanyName, (2) txtEmail, or (3) txtUserAccNum parameter to (a) users.asp, or the (4) setThemeColour parameter to (b) default.asp in the Reseller and Admin levels; or the (5) setThemeColour parameter to default.asp in the User level. NOTE: the txtDomainName parameter to domains.asp is covered by CVE-2006-1407, which suggests that this vector is fixed in 3.2.10 stable."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20061114 Helm Cross-Site Scripting (XSS)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/451737/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://aria-security.net/advisory/helm.txt"}, {"name": "ADV-2006-4557", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/4557"}, {"name": "22916", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/22916"}, {"name": "1884", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/1884"}, {"name": "1017240", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1017240"}, {"name": "helm-domainsusersdefaault-xss(30309)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30309"}, {"name": "20061116 Helm Cross Site Scripting", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/451848/100/200/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-5984", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) txtCompanyName, (2) txtEmail, or (3) txtUserAccNum parameter to (a) users.asp, or the (4) setThemeColour parameter to (b) default.asp in the Reseller and Admin levels; or the (5) setThemeColour parameter to default.asp in the User level. NOTE: the txtDomainName parameter to domains.asp is covered by CVE-2006-1407, which suggests that this vector is fixed in 3.2.10 stable."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20061114 Helm Cross-Site Scripting (XSS)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/451737/100/0/threaded"}, {"name": "http://aria-security.net/advisory/helm.txt", "refsource": "MISC", "url": "http://aria-security.net/advisory/helm.txt"}, {"name": "ADV-2006-4557", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/4557"}, {"name": "22916", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/22916"}, {"name": "1884", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/1884"}, {"name": "1017240", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1017240"}, {"name": "helm-domainsusersdefaault-xss(30309)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30309"}, {"name": "20061116 Helm Cross Site Scripting", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/451848/100/200/threaded"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-5984", "datePublished": "2006-11-20T21:00:00", "dateReserved": "2006-11-20T00:00:00", "dateUpdated": "2018-10-17T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webhost_automation:helm_web_hosting_control_panel:3.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "2CEA8C49-1092-42AB-8FB7-8E24DB0ABB76", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) txtCompanyName, (2) txtEmail, or (3) txtUserAccNum parameter to (a) users.asp, or the (4) setThemeColour parameter to (b) default.asp in the Reseller and Admin levels; or the (5) setThemeColour parameter to default.asp in the User level. NOTE: the txtDomainName parameter to domains.asp is covered by CVE-2006-1407, which suggests that this vector is fixed in 3.2.10 stable."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Helm Web Hosting Control Panel 3.2.10 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de los par\u00e1metros (1) txtCompanyName, (2) txtEmail, o (3) txtUserAccNum de (a) users.asp, o el par\u00e1metro (4) setThemeColour de (b) default.asp en los niveles de administrador y revendedor (Reseller and Admin Levels); o el par\u00e1metro (5) setThemeColour de default.asp en el nivel de usuario (User level). NOTA: el par\u00e1metro txtDomainName de domains.asp se trata en CVE-2006-1407, lo que sugiere que este vector est\u00e1 solucionado en la versi\u00f3n 3.2.10 estable."}], "id": "CVE-2006-5984", "lastModified": "2018-10-17T21:46:12.983", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-11-20T21:07:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://aria-security.net/advisory/helm.txt"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/22916"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/1884"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1017240"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/451737/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/451848/100/200/threaded"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/4557"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30309"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}