PT-2006-2246 · Vcard · Vcard
Published
2006-03-14
·
Updated
2018-10-18
·
CVE-2006-1230
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
vCard versions 2.6 through 2.9
Description
The issue allows remote attackers to inject arbitrary web script or HTML via the
card id, uploaded, card fontsize, or card color parameters in the create.php file. This can be exploited to conduct cross-site scripting (XSS) attacks.Recommendations
For vCard version 2.6, avoid using the
uploaded parameter in the create.php file until a fix is available.
For vCard version 2.9, consider restricting access to the card id parameter in the create.php file as a temporary workaround.
For all affected versions, restrict the use of the card fontsize and card color parameters in the create.php file to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vcard