Strix
26.1K

CVE-2006-3016

UnknownEPSS 2.26%

Last modified

CVE-2006-3016 is a vulnerability of currently unknown severity. Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().. EPSS estimates a 2.26% chance of exploitation in the next 30 days.

Description

Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().

Metrics

EPSS Probability
2.26%

80.8th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
Php GroupPhp<= 5.1.2

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2006-3016?
Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to "certain characters in session names," including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().
How severe is CVE-2006-3016?
Severity scoring for CVE-2006-3016 is pending analysis. The EPSS model estimates a 2.26% probability of exploitation in the next 30 days.
How do I fix CVE-2006-3016?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2006-3016?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST