CVE-2006-1508

MH Software Connect Daily Web Calendar Software <3.2.9 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2006-1508. PoCs published by r0t.

AI-analyzed exploit summary The provided text describes multiple cross-site scripting (XSS) vulnerabilities in Connect Daily due to insufficient input sanitization. It includes example URLs demonstrating how arbitrary script code could be executed in a user's browser context.

Description

Multiple cross-site scripting (XSS) vulnerabilities in MH Software Connect Daily Web Calendar Software 3.2.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) calendar_id, (2) style_sheet, and (3) start parameters in (a) ViewDay.html; the (4) txtSearch and (5) opgSearch parameters in (b) ViewSearch.html; the (6) calendar_id and (7) approved parameters in (c) ViewYear.html; the (8) item_type_id parameter in (d) ViewCal.html; and the (9) week parameter in (e) ViewWeek.html.

Exploits (5)

exploitdb WRITEUP VERIFIED
by r0t · textwebappsphp
https://www.exploit-db.com/exploits/27504

The provided text describes multiple cross-site scripting (XSS) vulnerabilities in Connect Daily due to insufficient input sanitization. It includes example URLs demonstrating how arbitrary script code could be executed in a user's browser context.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Connect Daily (version not specified)
No auth needed
Prerequisites: Access to the vulnerable application · Ability to craft malicious URLs
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r0t · textwebappsphp
https://www.exploit-db.com/exploits/27506

The provided text describes a cross-site scripting (XSS) vulnerability in Connect Daily, where user-supplied input is not properly sanitized. The example URL demonstrates how arbitrary script code could be executed in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Connect Daily (version not specified)
No auth needed
Prerequisites: Access to the vulnerable application URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r0t · textwebappsphp
https://www.exploit-db.com/exploits/27503

The provided text describes multiple XSS vulnerabilities in Connect Daily due to insufficient input sanitization. It includes example URLs demonstrating how arbitrary script code can be injected via the 'txtSearch' and 'opgFields' parameters.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Connect Daily (version not specified)
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r0t · textwebappsphp
https://www.exploit-db.com/exploits/27502

The provided text describes multiple XSS vulnerabilities in Connect Daily due to improper input sanitization. It includes example URLs demonstrating how arbitrary script code can be executed in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Connect Daily (version not specified)
No auth needed
Prerequisites: Access to the vulnerable application · Ability to craft malicious URLs
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r0t · textwebappsphp
https://www.exploit-db.com/exploits/27505

The provided text describes a cross-site scripting (XSS) vulnerability in Connect Daily, where user-supplied input is not properly sanitized. The example URL demonstrates how an attacker could inject arbitrary script code via the 'item_type_id' parameter.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Connect Daily (version not specified)
No auth needed
Prerequisites: Access to a vulnerable instance of Connect Daily · Ability to craft a malicious URL with injected script code
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/24184
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/24185
Exploit, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19434
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/25474
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1125
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/24183
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/24181
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/24182
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17287

Scores

EPSS 0.0261
EPSS Percentile 83.4%

Details

Status published
Products (2)
mh_software/connect_daily 3.2.8
mh_software/connect_daily < 3.2.9
Published Mar 30, 2006
Tracked Since Feb 18, 2026