CVE-2006-1590

Name	CVE-2006-1590
Description	Cross-site scripting (XSS) vulnerability in the PrintFreshPage function in (1) Basic Analysis and Security Engine (BASE) 1.2.4 and (2) Analysis Console for Intrusion Databases (ACID) 0.9.6b23 allows remote attackers to inject arbitrary web script or HTML via the (a) back parameter to base_graph_main.php, (b) netmask parameter to base_stat_ipaddr.php, or (c) submit parameter to base_qry_alert.php within BASE, or (d) query string to acid_main.php in ACID, which causes the request URI ($_SERVER['REQUEST_URI']) to be inserted into a refresh operation.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	363548, 363549

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
acidbase	source	(unstable)	1.2.5-1	unimportant		363548
acidlab	source	(unstable)	(unfixed)	unimportant		363549

Notes

[sarge] - acidbase <no-dsa> (Hardly exploitable)
[sarge] - acidlab <no-dsa> (Hardly exploitable)
Not exploitable with the default configuration anyway.