CVE-2006-4712 - Vulnerability Details - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use XMLHttpRequest to read arbitrary local files, aka "Cross Context Scripting."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sage	Sage

Configuration 1 [-]

cpe:2.3:a:sage:sage:1.3.6:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://downloads.securityfocus.com/vulnerabilities/exploits/sage-inputvalidation.xml
http://secunia.com/advisories/21839
http://securityreason.com/securityalert/1558
http://www.gnucitizen.org/blog/cross-context-scripting-with-sage
http://www.intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite
http://www.securityfocus.com/archive/1/445648/100/0/threaded
http://www.securityfocus.com/bid/19928
http://www.snellspace.com/wp/?p=410
http://www.snellspace.com/wp/?p=448
http://www.vupen.com/english/advisories/2006/3553
https://exchange.xforce.ibmcloud.com/vulnerabilities/28855

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-09-12T16:00:00

Updated: 2024-08-07T19:23:40.500Z

Reserved: 2006-09-12T00:00:00

Link: CVE-2006-4712

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2006-09-12T16:07:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2006-4712

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-09-08T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use XMLHttpRequest to read arbitrary local files, aka \"Cross Context Scripting.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "19928", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/19928"}, {"name": "20060908 Cross Context Scripting with Sage", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/445648/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://www.snellspace.com/wp/?p=410"}, {"tags": ["x_refsource_MISC"], "url": "http://downloads.securityfocus.com/vulnerabilities/exploits/sage-inputvalidation.xml"}, {"name": "ADV-2006-3553", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/3553"}, {"tags": ["x_refsource_MISC"], "url": "http://www.intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite"}, {"name": "sage-rss-xss(28855)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28855"}, {"tags": ["x_refsource_MISC"], "url": "http://www.gnucitizen.org/blog/cross-context-scripting-with-sage"}, {"tags": ["x_refsource_MISC"], "url": "http://www.snellspace.com/wp/?p=448"}, {"name": "1558", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/1558"}, {"name": "21839", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/21839"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-4712", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use XMLHttpRequest to read arbitrary local files, aka \"Cross Context Scripting.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "19928", "refsource": "BID", "url": "http://www.securityfocus.com/bid/19928"}, {"name": "20060908 Cross Context Scripting with Sage", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/445648/100/0/threaded"}, {"name": "http://www.snellspace.com/wp/?p=410", "refsource": "MISC", "url": "http://www.snellspace.com/wp/?p=410"}, {"name": "http://downloads.securityfocus.com/vulnerabilities/exploits/sage-inputvalidation.xml", "refsource": "MISC", "url": "http://downloads.securityfocus.com/vulnerabilities/exploits/sage-inputvalidation.xml"}, {"name": "ADV-2006-3553", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/3553"}, {"name": "http://www.intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite", "refsource": "MISC", "url": "http://www.intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite"}, {"name": "sage-rss-xss(28855)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28855"}, {"name": "http://www.gnucitizen.org/blog/cross-context-scripting-with-sage", "refsource": "MISC", "url": "http://www.gnucitizen.org/blog/cross-context-scripting-with-sage"}, {"name": "http://www.snellspace.com/wp/?p=448", "refsource": "MISC", "url": "http://www.snellspace.com/wp/?p=448"}, {"name": "1558", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/1558"}, {"name": "21839", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/21839"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T19:23:40.500Z"}, "title": "CVE Program Container", "references": [{"name": "19928", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/19928"}, {"name": "20060908 Cross Context Scripting with Sage", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/445648/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.snellspace.com/wp/?p=410"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://downloads.securityfocus.com/vulnerabilities/exploits/sage-inputvalidation.xml"}, {"name": "ADV-2006-3553", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2006/3553"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite"}, {"name": "sage-rss-xss(28855)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28855"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.gnucitizen.org/blog/cross-context-scripting-with-sage"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.snellspace.com/wp/?p=448"}, {"name": "1558", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/1558"}, {"name": "21839", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/21839"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-4712", "datePublished": "2006-09-12T16:00:00", "dateReserved": "2006-09-12T00:00:00", "dateUpdated": "2024-08-07T19:23:40.500Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sage:sage:1.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "396044E4-866F-455F-87BE-0D14BF7960E1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use XMLHttpRequest to read arbitrary local files, aka \"Cross Context Scripting.\""}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Sage 1.3.6 permite a un atacante remoto inyectar secuencias de comandos web o HTMl de su elecci\u00f3n a trav\u00e9s de JavaScript en un contenido: elemento codificado dentro de un elemento del art\u00edculo en un alimentador RSS, como quedo demostrado por cuatrp ejemplos: elementos codificados que utilizaban XMLHttpRequest para leer archivos locales arbitrarios, tambi\u00e9n conocidos como \u201csecuencia de comandos de sitios cruzados\u201d ."}], "id": "CVE-2006-4712", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-09-12T16:07:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://downloads.securityfocus.com/vulnerabilities/exploits/sage-inputvalidation.xml"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/21839"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/1558"}, {"source": "cve@mitre.org", "url": "http://www.gnucitizen.org/blog/cross-context-scripting-with-sage"}, {"source": "cve@mitre.org", "url": "http://www.intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/445648/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/19928"}, {"source": "cve@mitre.org", "url": "http://www.snellspace.com/wp/?p=410"}, {"source": "cve@mitre.org", "url": "http://www.snellspace.com/wp/?p=448"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2006/3553"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28855"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://downloads.securityfocus.com/vulnerabilities/exploits/sage-inputvalidation.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/21839"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/1558"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.gnucitizen.org/blog/cross-context-scripting-with-sage"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/445648/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/19928"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.snellspace.com/wp/?p=410"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.snellspace.com/wp/?p=448"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2006/3553"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28855"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}