CVE-2006-6942 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_latest_db, and (6) querydisplay_tab parameters to (c) querywindow.php, and (7) the pos parameter to (d) sql.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Phpmyadmin	Phpmyadmin

Configuration 1 [-]

OR	cpe:2.3:a:phpmyadmin:phpmyadmin::::::::
	cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0:::::::*
	cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.1:::::::*
	cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.2:::::::*
	cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.3:::::::*
	cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_beta1:::::::*
	cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_rc1:::::::*
	cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc1:::::::*
	cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc2:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:3.1:::::::*
	cpe:2.3:o:debian:debian_linux:4.0:::::::*

No data.

References

Link	Providers
http://marc.info/?l=bugtraq&m=116370414309444&w=2
http://secunia.com/advisories/26733
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7
http://www.securityfocus.com/bid/21137
http://www.us.debian.org/security/2007/dsa-1370
http://www.vupen.com/english/advisories/2006/4572
https://exchange.xforce.ibmcloud.com/vulnerabilities/30310

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-01-19T02:00:00

Updated: 2024-08-07T20:42:07.818Z

Reserved: 2007-01-18T00:00:00

Link: CVE-2006-6942

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-01-19T02:28:00.000

Modified: 2017-07-29T01:29:44.623

Link: CVE-2006-6942

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-11-16T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_latest_db, and (6) querydisplay_tab parameters to (c) querywindow.php, and (7) the pos parameter to (d) sql.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7"}, {"name": "ADV-2006-4572", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/4572"}, {"name": "26733", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26733"}, {"name": "20061116 PhpMyAdmin all version [multiples vulnerability]", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=116370414309444&w=2"}, {"name": "phpmyadmin-multiple-parameter-xss(30310)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30310"}, {"name": "DSA-1370", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.us.debian.org/security/2007/dsa-1370"}, {"name": "21137", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/21137"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-6942", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_latest_db, and (6) querydisplay_tab parameters to (c) querywindow.php, and (7) the pos parameter to (d) sql.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7", "refsource": "CONFIRM", "url": "http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7"}, {"name": "ADV-2006-4572", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/4572"}, {"name": "26733", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26733"}, {"name": "20061116 PhpMyAdmin all version [multiples vulnerability]", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=116370414309444&w=2"}, {"name": "phpmyadmin-multiple-parameter-xss(30310)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30310"}, {"name": "DSA-1370", "refsource": "DEBIAN", "url": "http://www.us.debian.org/security/2007/dsa-1370"}, {"name": "21137", "refsource": "BID", "url": "http://www.securityfocus.com/bid/21137"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T20:42:07.818Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7"}, {"name": "ADV-2006-4572", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2006/4572"}, {"name": "26733", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26733"}, {"name": "20061116 PhpMyAdmin all version [multiples vulnerability]", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=116370414309444&w=2"}, {"name": "phpmyadmin-multiple-parameter-xss(30310)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30310"}, {"name": "DSA-1370", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.us.debian.org/security/2007/dsa-1370"}, {"name": "21137", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/21137"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-6942", "datePublished": "2007-01-19T02:00:00", "dateReserved": "2007-01-18T00:00:00", "dateUpdated": "2024-08-07T20:42:07.818Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DE07071-A27E-4BC0-937C-32415A6A6C03", "versionEndIncluding": "2.9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "44DA3E88-1572-484D-A4DB-A99EF7D73129", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "3E65F392-A841-461A-921C-91F40330F3F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "5A7F2F4E-7DCC-43F8-BB69-BE553C2F8F66", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "1CDE3326-8B3F-4C3A-BA40-6F91CDFAFA76", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_beta1:*:*:*:*:*:*:*", "matchCriteriaId": "36C4A673-5ACD-4D1A-A780-5CD279230051", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_rc1:*:*:*:*:*:*:*", "matchCriteriaId": "9BD0DFB0-92F1-4914-A637-A2EBCE0A9BCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc1:*:*:*:*:*:*:*", "matchCriteriaId": "1519A451-0EC8-4718-991D-948572C08410", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc2:*:*:*:*:*:*:*", "matchCriteriaId": "9ACAA116-2853-456B-BC9C-B036A0F99FB3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "A2E0C1F8-31F5-4F61-9DF7-E49B43D3C873", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_latest_db, and (6) querydisplay_tab parameters to (c) querywindow.php, and (7) the pos parameter to (d) sql.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en PhpMyAdmin versiones anteriores a 2.9.1.1 permite a atacantes remotos inyectar scripts web o HTML de su elecci\u00f3n mediante (1) un comentario en un nombre de talba, tal y como se explota a trav\u00e9s de (a) db_operations.php, (2) el par\u00e1metro db en (b) db_create.php, (3) el par\u00e1metro newname en db_operations.php, el par\u00e1metro(4) query_history_latest, (5) query_history_latest_db, y (6) querydisplay_tab en (c) querywindow.php, y (7) el par\u00e1metro pos en(d) sql.php."}], "id": "CVE-2006-6942", "lastModified": "2017-07-29T01:29:44.623", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-01-19T02:28:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://marc.info/?l=bugtraq&m=116370414309444&w=2"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "http://secunia.com/advisories/26733"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/21137"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.us.debian.org/security/2007/dsa-1370"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://www.vupen.com/english/advisories/2006/4572"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30310"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}