CVE-2006-2347

critical

Description

E-Business Designer (eBD) 3.1.4 and earlier allows remote attackers to obtain the full path of the web server via "'" characters, and possibly other invalid values, in (1) the id parameter to form_grupo.html, or requests to the (2) archivos/ and (3) files/ directories. NOTE: this issue might be resultant from SQL injection.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/26476

http://www.vupen.com/english/advisories/2006/1784

http://www.securityfocus.com/bid/17933

http://www.securityfocus.com/archive/1/433807/100/0/threaded

http://securityreason.com/securityalert/891

http://secunia.com/advisories/20071

http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/045980.html

Details

Source: Mitre, NVD

Published: 2006-05-12

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical

EPSS

EPSS: 0.00567