| Name | CVE-2006-1603 |
| Description | Cross-site scripting (XSS) vulnerability in profile.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via the cur_password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| phpbb2 | source | (unstable) | (not affected) | | | |
Notes
- phpbb2 <not-affected> (According to Jeroen a non-issue, see notes)
<jvw> jmm: unable to everify, the variable in question is only printed
at one single page, and there it doesn't get taken from GET nor POST in my tests
<jvw> and, shock, the password isn't saved unhashed in the DB, so having
javascript in your password can't be exposed otherwise
<jvw> I'd forget about it unless someone comes with a proof of concept