CVE-2006-0806

NameCVE-2006-0806
DescriptionMultiple cross-site scripting (XSS) vulnerabilities in ADOdb 4.71, as used in multiple packages such as phpESP, allow remote attackers to inject arbitrary web script or HTML via (1) the next_page parameter in adodb-pager.inc.php and (2) other unspecified vectors related to PHP_SELF.
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1029-1, DSA-1030-1, DSA-1031-1
NVD severitymedium (attack range: remote)
Debian Bugs358872, 360396

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)wheezy (security), wheezy0.8.8a+dfsg-5+deb7u8fixed
jessie (security), jessie0.8.8b+dfsg-8+deb8u4fixed
stretch0.8.8g+ds1-2fixed
sid0.8.8g+ds1-3fixed
libphp-adodb (PTS)jessie, wheezy5.15-1fixed
stretch, sid5.20.4-1fixed
moodle (PTS)sid2.7.13+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisource(unstable)0.8.6d-1medium
cactisourcesarge0.8.6c-7sarge3mediumDSA-1031-1
libphp-adodbsource(unstable)4.72-0.1medium358872
libphp-adodbsourcesarge4.52-1sarge1mediumDSA-1029-1
libphp-adodbsourcewoody1.51-1.2mediumDSA-1029-1
moodlesource(unstable)1.6.1+20060825-1medium360396
moodlesourcesarge1.4.4.dfsg.1-3sarge1mediumDSA-1030-1

Notes

according to maintainer, "Moodle neither uses nor plans to use
ADODB_Pager, so it's not affected by #360396, but include patch for
it anyway, just in case somebody decides to use it out of the blue

Search for package or bug name: Reporting problems