CVE-2006-3798 - Vulnerability Details - OpenCVE

Description

DeluxeBB 1.07 and earlier allows remote attackers to overwrite the (1) _GET, (2) _POST, (3) _ENV, and (4) _SERVER variables via the _COOKIE (aka COOKIE) variable, which can overwrite the other variables during an extract function call, probably leading to multiple security vulnerabilities, aka "pollution of the global namespace."

Published: 2006-07-21

Score: 5.0 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:deluxebb:deluxebb:1.05:::::::*
	cpe:2.3:a:deluxebb:deluxebb:1.06:::::::*
	cpe:2.3:a:deluxebb:deluxebb:1.07:::::::*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2006-3792	DeluxeBB 1.07 and earlier allows remote attackers to overwrite the (1) _GET, (2) _POST, (3) _ENV, and (4) _SERVER variables via the _COOKIE (aka COOKIE) variable, which can overwrite the other variables during an extract function call, probably leading to multiple security vulnerabilities, aka "pollution of the global namespace."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00392.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047989.html
http://securityreason.com/securityalert/1254
http://www.securityfocus.com/archive/1/440435/100/0/threaded
http://www.securityfocus.com/bid/19052

History

No history.

Subscriptions

Deluxebb Deluxebb

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-07-21T21:00:00.000Z

Updated: 2024-08-07T18:39:54.148Z

Reserved: 2006-07-21T00:00:00.000Z

Link: CVE-2006-3798

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2006-07-24T12:19:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2006-3798

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-07-18T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "DeluxeBB 1.07 and earlier allows remote attackers to overwrite the (1) _GET, (2) _POST, (3) _ENV, and (4) _SERVER variables via the _COOKIE (aka COOKIE) variable, which can overwrite the other variables during an extract function call, probably leading to multiple security vulnerabilities, aka \"pollution of the global namespace.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T20:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "1254", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/1254"}, {"name": "19052", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/19052"}, {"name": "20060718 Advisory : DeluxeBB mutiple vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047989.html"}, {"name": "20060718 DeluxeBB mutiple vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/440435/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-3798", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "DeluxeBB 1.07 and earlier allows remote attackers to overwrite the (1) _GET, (2) _POST, (3) _ENV, and (4) _SERVER variables via the _COOKIE (aka COOKIE) variable, which can overwrite the other variables during an extract function call, probably leading to multiple security vulnerabilities, aka \"pollution of the global namespace.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1254", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/1254"}, {"name": "19052", "refsource": "BID", "url": "http://www.securityfocus.com/bid/19052"}, {"name": "20060718 Advisory : DeluxeBB mutiple vulnerabilities", "refsource": "FULLDISC", "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047989.html"}, {"name": "20060718 DeluxeBB mutiple vulnerabilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/440435/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T18:39:54.148Z"}, "title": "CVE Program Container", "references": [{"name": "1254", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/1254"}, {"name": "19052", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/19052"}, {"name": "20060718 Advisory : DeluxeBB mutiple vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047989.html"}, {"name": "20060718 DeluxeBB mutiple vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/440435/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-3798", "datePublished": "2006-07-21T21:00:00.000Z", "dateReserved": "2006-07-21T00:00:00.000Z", "dateUpdated": "2024-08-07T18:39:54.148Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deluxebb:deluxebb:1.05:*:*:*:*:*:*:*", "matchCriteriaId": "9A65D83C-FB89-46C8-8ABA-D9F66ACE8B88", "vulnerable": true}, {"criteria": "cpe:2.3:a:deluxebb:deluxebb:1.06:*:*:*:*:*:*:*", "matchCriteriaId": "37F38906-2E8F-40E4-A03B-8121FDEF903C", "vulnerable": true}, {"criteria": "cpe:2.3:a:deluxebb:deluxebb:1.07:*:*:*:*:*:*:*", "matchCriteriaId": "DC51CF33-9B6A-40BE-B5A6-3596C02C48B5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DeluxeBB 1.07 and earlier allows remote attackers to overwrite the (1) _GET, (2) _POST, (3) _ENV, and (4) _SERVER variables via the _COOKIE (aka COOKIE) variable, which can overwrite the other variables during an extract function call, probably leading to multiple security vulnerabilities, aka \"pollution of the global namespace.\""}, {"lang": "es", "value": "DeluxeBB 1.07 y anteriores permite a atacantes remotos sobrescribir las variables (1) _GET, (2) _POST, (3) _ENV, y (4) _SERVER mediante la variable _COOKIE (tambi\u00e9n conocida como COOKIE), la cual puede sobrescribir las otras variables durante una llamada a la funci\u00f3n extract, probablemente llevando a m\u00faltiples vulnerabilidades de seguridad, tambi\u00e9n conocida como \"contaminaci\u00f3n del espacio de nombres global\"."}], "id": "CVE-2006-3798", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-07-24T12:19:00.000", "references": [{"source": "cve@mitre.org", "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047989.html"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/1254"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/440435/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/19052"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047989.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/1254"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/440435/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/19052"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}