CVE-2006-6824

medium

Description

Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) getdate parameter in (a) day.php, (b) month.php, (c) year.php, (d) week.php, (e) search.php, (f) rss/index.php, (g) print.php, and (h) preferences.php; the (2) cpath parameter in (i) day.php, (j) month.php, (k) year.php, (l) week.php, and (m) search.php; the (3) query parameter in search.php; and possibly the cpath, (4) unset, and (5) set parameters in a setcookie action in preferences.php; different vectors than CVE-2006-3319. NOTE: it was later reported that vectors b, c, and d also affect 2.24.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/31146

http://www.securityfocus.com/archive/1/485397/100/200/threaded

http://www.osvdb.org/32500

http://www.osvdb.org/32499

http://www.osvdb.org/32498

http://www.osvdb.org/32497

http://www.osvdb.org/32496

http://www.osvdb.org/32495

http://www.osvdb.org/32494

http://www.osvdb.org/32493

http://secunia.com/advisories/23499

Details

Source: Mitre, NVD

Published: 2006-12-29

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.02008