CVE-2006-6975 - Vulnerability Details - OpenCVE

PHP remote file inclusion vulnerability in centipaid_class.php in CentiPaid 1.4.3 allows remote attackers to execute arbitrary code via a URL in the class_pwd parameter. NOTE: this issue has been disputed by CVE and multiple third parties, who state that $class_pwd is set to a static value before the relevant include statement

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.05276.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Centipaid	Centipaid

Configuration 1 [-]

cpe:2.3:a:centipaid:centipaid:1.4.3:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html
http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html
http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html
http://www.osvdb.org/31638

History

Fri, 17 Jan 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-02-08T17:00:00Z

Updated: 2025-01-17T14:13:37.244Z

Reserved: 2007-02-08T00:00:00Z

Link: CVE-2006-6975

Vulnrichment

Updated: 2024-08-07T20:50:05.959Z

NVD

Status : Deferred

Published: 2007-02-08T17:28:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2006-6975

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "PHP remote file inclusion vulnerability in centipaid_class.php in CentiPaid 1.4.3 allows remote attackers to execute arbitrary code via a URL in the class_pwd parameter. NOTE: this issue has been disputed by CVE and multiple third parties, who state that $class_pwd is set to a static value before the relevant include statement"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2007-02-08T17:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html"}, {"name": "20061028 CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html"}, {"name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html"}, {"name": "31638", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/31638"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-6975", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** PHP remote file inclusion vulnerability in centipaid_class.php in CentiPaid 1.4.3 allows remote attackers to execute arbitrary code via a URL in the class_pwd parameter. NOTE: this issue has been disputed by CVE and multiple third parties, who state that $class_pwd is set to a static value before the relevant include statement."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html"}, {"name": "20061028 CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html"}, {"name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html"}, {"name": "31638", "refsource": "OSVDB", "url": "http://www.osvdb.org/31638"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T20:50:05.959Z"}, "title": "CVE Program Container", "references": [{"name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html"}, {"name": "20061028 CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html"}, {"name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html"}, {"name": "31638", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/31638"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-17T14:13:33.748123Z", "id": "CVE-2006-6975", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-17T14:13:37.244Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-6975", "datePublished": "2007-02-08T17:00:00Z", "dateReserved": "2007-02-08T00:00:00Z", "dateUpdated": "2025-01-17T14:13:37.244Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html", "name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"]}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html", "name": "20061028 CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"]}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html", "name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"]}, {"url": "http://www.osvdb.org/31638", "name": "31638", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T20:50:05.959Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2006-6975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-17T14:13:33.748123Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-17T14:12:58.484Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html", "name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ"]}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html", "name": "20061028 CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ"]}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html", "name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "tags": ["mailing-list", "x_refsource_BUGTRAQ"]}, {"url": "http://www.osvdb.org/31638", "name": "31638", "tags": ["vdb-entry", "x_refsource_OSVDB"]}], "descriptions": [{"lang": "en", "value": "PHP remote file inclusion vulnerability in centipaid_class.php in CentiPaid 1.4.3 allows remote attackers to execute arbitrary code via a URL in the class_pwd parameter. NOTE: this issue has been disputed by CVE and multiple third parties, who state that $class_pwd is set to a static value before the relevant include statement"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2007-02-08T17:00:00Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html", "name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "refsource": "BUGTRAQ"}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html", "name": "20061028 CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "refsource": "BUGTRAQ"}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html", "name": "20061030 Re: CentiPaid <= 1.4.2 [$class_pwd] Remote File Include", "refsource": "BUGTRAQ"}, {"url": "http://www.osvdb.org/31638", "name": "31638", "refsource": "OSVDB"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** PHP remote file inclusion vulnerability in centipaid_class.php in CentiPaid 1.4.3 allows remote attackers to execute arbitrary code via a URL in the class_pwd parameter. NOTE: this issue has been disputed by CVE and multiple third parties, who state that $class_pwd is set to a static value before the relevant include statement."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2006-6975", "STATE": "PUBLIC", "ASSIGNER": "cve@mitre.org"}}}}, "cveMetadata": {"cveId": "CVE-2006-6975", "state": "PUBLISHED", "dateUpdated": "2025-01-17T14:13:37.244Z", "dateReserved": "2007-02-08T00:00:00Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2007-02-08T17:00:00Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:centipaid:centipaid:1.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "2CA9B97F-54AE-4D2A-8D86-AD1604F2C3AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "PHP remote file inclusion vulnerability in centipaid_class.php in CentiPaid 1.4.3 allows remote attackers to execute arbitrary code via a URL in the class_pwd parameter. NOTE: this issue has been disputed by CVE and multiple third parties, who state that $class_pwd is set to a static value before the relevant include statement"}, {"lang": "es", "value": "** IMPUGNADO ** Vulnerabilidad de inclusi\u00f3n remota de archivo en PHP en centipaid_class.php de CentiPaid 1.4.3 permite a atacantes remotos ejecutar c\u00f3digo de su elecci\u00f3n mediante una URL en el par\u00e1metro class_pwd.\r\nNOTA: Esta vulnerabilidad ha sido impugnada por CVE y m\u00faltiples terceras partes, que indican que a $class_pwd se le asigna un valor est\u00e1tico anteriormente a la sentencia \"include\" pertinente."}], "evaluatorImpact": "This is not exploitable.", "id": "CVE-2006-6975", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2007-02-08T17:28:00.000", "references": [{"source": "cve@mitre.org", "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html"}, {"source": "cve@mitre.org", "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/31638"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0472.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0494.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://archives.neohapsis.com/archives/bugtraq/2006-10/0499.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/31638"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}