CVE-2006-5599 - Vulnerability Details - OpenCVE

Cross-site scripting (XSS) vulnerability in Oracle Application Express (formerly HTML DB) before 2.2.1 allows remote attackers to inject arbitrary HTML or web script via the WWV_FLOW_ITEM_HELP package. NOTE: it is likely that this issue overlaps one of the Oracle VulnIDs covered by CVE-2006-5351. Oracle has not publicly disputed claims by a reliable researcher that this has been fixed by the October 2006 CPU.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01243.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Apex

Configuration 1 [-]

cpe:2.3:a:oracle:apex:2.2:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2006-5584	Cross-site scripting (XSS) vulnerability in Oracle Application Express (formerly HTML DB) before 2.2.1 allows remote attackers to inject arbitrary HTML or web script via the WWV_FLOW_ITEM_HELP package. NOTE: it is likely that this issue overlaps one of the Oracle VulnIDs covered by CVE-2006-5351. Oracle has not publicly disputed claims by a reliable researcher that this has been fixed by the October 2006 CPU.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://securityreason.com/securityalert/1792
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html
http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html
http://www.securityfocus.com/archive/1/449500/100/0/threaded
http://www.us-cert.gov/cas/techalerts/TA06-291A.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-10-28T01:00:00

Updated: 2024-08-07T19:55:53.521Z

Reserved: 2006-10-27T00:00:00

Link: CVE-2006-5599

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2006-10-28T01:07:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2006-5599

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-10-23T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Oracle Application Express (formerly HTML DB) before 2.2.1 allows remote attackers to inject arbitrary HTML or web script via the WWV_FLOW_ITEM_HELP package. NOTE: it is likely that this issue overlaps one of the Oracle VulnIDs covered by CVE-2006-5351. Oracle has not publicly disputed claims by a reliable researcher that this has been fixed by the October 2006 CPU."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "1792", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/1792"}, {"name": "20061023 Cross-Site-Scripting Vulnerability in Oracle APEX WWV_FLOW_ITEM_HELP", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/449500/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html"}, {"name": "TA06-291A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/cas/techalerts/TA06-291A.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-5599", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in Oracle Application Express (formerly HTML DB) before 2.2.1 allows remote attackers to inject arbitrary HTML or web script via the WWV_FLOW_ITEM_HELP package. NOTE: it is likely that this issue overlaps one of the Oracle VulnIDs covered by CVE-2006-5351. Oracle has not publicly disputed claims by a reliable researcher that this has been fixed by the October 2006 CPU."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1792", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/1792"}, {"name": "20061023 Cross-Site-Scripting Vulnerability in Oracle APEX WWV_FLOW_ITEM_HELP", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/449500/100/0/threaded"}, {"name": "http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html", "refsource": "MISC", "url": "http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html"}, {"name": "TA06-291A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA06-291A.html"}, {"name": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html", "refsource": "MISC", "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T19:55:53.521Z"}, "title": "CVE Program Container", "references": [{"name": "1792", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/1792"}, {"name": "20061023 Cross-Site-Scripting Vulnerability in Oracle APEX WWV_FLOW_ITEM_HELP", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/449500/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html"}, {"name": "TA06-291A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.us-cert.gov/cas/techalerts/TA06-291A.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-5599", "datePublished": "2006-10-28T01:00:00", "dateReserved": "2006-10-27T00:00:00", "dateUpdated": "2024-08-07T19:55:53.521Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:apex:2.2:*:*:*:*:*:*:*", "matchCriteriaId": "95351E3F-5B5C-48F1-9137-2CCCE11775AF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Oracle Application Express (formerly HTML DB) before 2.2.1 allows remote attackers to inject arbitrary HTML or web script via the WWV_FLOW_ITEM_HELP package. NOTE: it is likely that this issue overlaps one of the Oracle VulnIDs covered by CVE-2006-5351. Oracle has not publicly disputed claims by a reliable researcher that this has been fixed by the October 2006 CPU."}, {"lang": "es", "value": "Vulnerabilidad de cruce de sitios en scripts (XSS) en Oracle Application Express (anteriormente conocido como HTML DB) versiones anteriores a 2.2.1 permite a atacantes remotos inyectar scripts WEB o HTML de su elecci\u00f3n mediante el paquete WWV_FLOW_ITEM_HELP.\r\nNOTA: Es probable que esta vulnerabilidad se solape con alguna de las VulnIDs de Oracle, descritas en CVE-2006-5351. Oracle no ha impugnado p\u00fablicamente los comentarios de un investigador fiable que indica que esto se ha corregido en el CPU de Octubre de 2006."}], "id": "CVE-2006-5599", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-10-28T01:07:00.000", "references": [{"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/1792"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/449500/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Patch", "US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA06-291A.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/1792"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/449500/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA06-291A.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}