CVE-2006-4542

Usermin < 1.220 - XSS

Title source: rule

Description

Webmin before 1.296 and Usermin before 1.226 do not properly handle a URL with a null ("%00") character, which allows remote attackers to conduct cross-site scripting (XSS), read CGI program source code, list directories, and possibly execute programs.

References (16)

[Patch] http://jvn.jp/jp/JVN%2399776858/index.html

[Patch, Vendor Advisory] http://secunia.com/advisories/21690

[Patch] http://webmin.com/security.html

[Patch, Vendor Advisory] http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/89_e.html

[Third Party Advisory, VDB Entry] http://www.osvdb.org/28337

[Third Party Advisory, VDB Entry] http://www.osvdb.org/28338

[Vendor Advisory] http://www.vupen.com/english/advisories/2006/3424

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/28699

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDKSA-2006:170

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/19820

[Third Party Advisory] http://www.debian.org/security/2006/dsa-1199

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1016776

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1016777

[Third Party Advisory] http://secunia.com/advisories/22087

[Third Party Advisory] http://secunia.com/advisories/22114

[Third Party Advisory] http://secunia.com/advisories/22556

Scores

EPSS 0.0252

EPSS Percentile 85.2%

Classification

CWE

CWE-79

Status draft

Affected Products (50)

webmin/webmin

usermin/usermin < 1.220

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

usermin/usermin

... and 35 more

Timeline

Published Sep 05, 2006

Tracked Since Feb 18, 2026