CVE-2006-0657

medium

Description

Cross-site scripting (XSS) vulnerability in Softcomplex PHP Event Calendar 1.5 allows remote authenticated users to inject arbitrary web script or HTML, and corrupt data, via the (1) username and (2) password parameters, which are not sanitized before being written to users.php. NOTE: while this issue was originally reported as XSS, the primary issue might be direct static code injection with resultant XSS.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/24523

http://www.vupen.com/english/advisories/2006/0507

http://www.securityfocus.com/bid/16588

http://www.osvdb.org/23072

http://www.osvdb.org/23071

http://securityreason.com/securityalert/442

http://secunia.com/advisories/18792

http://evuln.com/vulns/63/summary.html

Details

Source: Mitre, NVD

Published: 2006-02-13

Updated: 2026-04-16

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00393