Strix
26.1K

CVE-2006-0800

UnknownEPSS 2.13%

Last modified

CVE-2006-0800 is a vulnerability of currently unknown severity. Interpretation conflict in PostNuke 0.761 and earlier allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML tags with a trailing "<" character, which is interpreted as a ">" character by some web browsers but bypasses the blacklist protection in (1) the pnVarCleanFromInput function in pnAPI.php, (2) the pnSecureInput function in pnAntiCracker.php, and (3) the htmltext parameter in an edituser operation to user.php.. EPSS estimates a 2.13% chance of exploitation in the next 30 days.

Description

Interpretation conflict in PostNuke 0.761 and earlier allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML tags with a trailing "<" character, which is interpreted as a ">" character by some web browsers but bypasses the blacklist protection in (1) the pnVarCleanFromInput function in pnAPI.php, (2) the pnSecureInput function in pnAntiCracker.php, and (3) the htmltext parameter in an edituser operation to user.php.

Metrics

EPSS Probability
2.13%

79.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Postnuke Software FoundationPostnuke0.7
Postnuke Software FoundationPostnuke0.62
Postnuke Software FoundationPostnuke0.63
Postnuke Software FoundationPostnuke0.64
Postnuke Software FoundationPostnuke0.70
Postnuke Software FoundationPostnuke0.71
Postnuke Software FoundationPostnuke0.72
Postnuke Software FoundationPostnuke0.73
Postnuke Software FoundationPostnuke0.74
Postnuke Software FoundationPostnuke0.75
Postnuke Software FoundationPostnuke0.75_rc3
Postnuke Software FoundationPostnuke0.76_rc4
Postnuke Software FoundationPostnuke0.76_rc4a
Postnuke Software FoundationPostnuke0.76_rc4b
Postnuke Software FoundationPostnuke0.703
Postnuke Software FoundationPostnuke0.721
Postnuke Software FoundationPostnuke0.726.3
Postnuke Software FoundationPostnuke0.761
Postnuke Software FoundationPostnuke0.761a

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2006-0800?
Interpretation conflict in PostNuke 0.761 and earlier allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML tags with a trailing "<" character, which is interpreted as a ">" character by some web browsers but bypasses the blacklist protection in (1) the pnVarCleanFromInput function in pnAPI.php, (2) the pnSecureInput function in pnAntiCracker.php, and (3) the htmltext parameter in an edituser operation to user.php.
How severe is CVE-2006-0800?
Severity scoring for CVE-2006-0800 is pending analysis. The EPSS model estimates a 2.13% probability of exploitation in the next 30 days.
How do I fix CVE-2006-0800?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2006-0800?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST