Vulnerability Name:

CVE-2006-3436 (CCN-28658)

Assigned:2006-10-10
Published:2006-10-10
Updated:2018-10-18
Summary:Cross-site scripting (XSS) vulnerability in Microsoft .NET Framework 2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "ASP.NET controls that set the AutoPostBack property to true".
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2006-3436

Source: CCN
Type: SA22307
Microsoft .NET Framework Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: Vendor Advisory
22307

Source: CCN
Type: SECTRACK ID: 1017029
ASP.NET Input Validation Hole in AutoPostBack Feature Permits Cross-Site Scripting Attacks

Source: SECTRACK
Type: UNKNOWN
1017029

Source: CCN
Type: ASA-2006-217
Windows Security Updates for October 2006 - (MS06-056 - MS06-065)

Source: CCN
Type: Microsoft Security Bulletin MS12-035
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)

Source: CCN
Type: Microsoft Security Bulletin MS13-040
Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)

Source: CCN
Type: Microsoft Security Bulletin MS13-082
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)

Source: CCN
Type: Microsoft Security Bulletin MS15-080
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662)

Source: CCN
Type: Microsoft Security Bulletin MS15-097
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656)

Source: CCN
Type: Microsoft Security Bulletin MS15-115
Security Update for Microsoft Windows to Address Remote Code Execution (3105864)

Source: CCN
Type: Microsoft Security Bulletin MS15-116
Security Updates for Microsoft Office to Address Remote Code Execution (3104540)

Source: CCN
Type: Microsoft Security Bulletin MS15-123
Security Update for Skype for Business and Lync to Address Information Disclosure (3105872)

Source: CCN
Type: Microsoft Security Bulletin MS15-128
Security Update for Microsoft Graphics Component to Address Remote Code Execution (3104503)

Source: CCN
Type: Microsoft Security Bulletin MS15-129
Security Update for Silverlight to Address Remote Code Execution (3106614)

Source: CCN
Type: Microsoft Security Bulletin MS15-131
Security Update for Microsoft Office to Address Remote Code Execution (3116111)

Source: CCN
Type: Microsoft Security Bulletin MS15-132
Security Update for Microsoft Windows to Address Remote Code Execution (3116162)

Source: CCN
Type: Microsoft Security Bulletin MS15-135
Security Update for Windows Kernel Mode Drivers to Address Elevation of Privilege (3119075)

Source: CCN
Type: Microsoft Security Bulletin MS16-004
Security Update for Microsoft Office to Address Remote Code Execution - Critical (3124585)

Source: CCN
Type: Microsoft Security Bulletin MS16-006
Security Update for Silverlight to Address Remote Code Execution (3126036)

Source: CCN
Type: Microsoft Security Bulletin MS16-008
Security Update for Kernel to Address Elevation of Privilege (3124605)

Source: CCN
Type: Microsoft Security Bulletin MS16-014
Security update for Microsoft Windows to Address Remote Code Execution (3134228)

Source: CCN
Type: Microsoft Security Bulletin MS16-015
Security Update for Microsoft Office to Address Remote Code Execution (3134226)

Source: CCN
Type: Microsoft Security Bulletin MS16-029
Security Update for Microsoft Office to Address Remote Code Execution (3141806)

Source: CCN
Type: Microsoft Security Bulletin MS16-031
Security Update for Microsoft Windows to Address Elevation of Privilege (3140410)

Source: CCN
Type: Microsoft Security Bulletin MS16-035
Security Update for .NET Framework to Address Security Feature Bypass (3141780)

Source: CCN
Type: Microsoft Security Bulletin MS16-042
Security Update for Microsoft Office (3148775)

Source: CCN
Type: Microsoft Security Bulletin MS16-044
Security Update for Windows OLE (3146706)

Source: CCN
Type: Microsoft Security Bulletin MS16-048
Security Update for CSRSS (3148528)

Source: CCN
Type: Microsoft Security Bulletin MS16-054
Security Update for Microsoft Office (3155544)

Source: CCN
Type: Microsoft Security Bulletin MS16-060
Security Update for Windows Kernel (3154846)

Source: CCN
Type: Microsoft Security Bulletin MS16-061
Security Update for Microsoft RPC (3155520)

Source: CCN
Type: Microsoft Security Bulletin MS16-070
Security Update for Office (3163610)

Source: CCN
Type: Microsoft Security Bulletin MS16-088
Security Updates for Office (3170008)

Source: CCN
Type: Microsoft Security Bulletin MS16-092
Security Update for Windows Kernel (3171910)

Source: CCN
Type: Microsoft Security Bulletin MS16-097
Security Update for Microsoft Graphics Component (3177393)

Source: CCN
Type: Microsoft Security Bulletin MS16-099
Security Update for Office (3177451)

Source: CCN
Type: Microsoft Security Bulletin MS16-106
Security Update for Microsoft Graphics Component (3185848)

Source: CCN
Type: Microsoft Security Bulletin MS16-107
Security Update for Microsoft Office (3185852)

Source: CCN
Type: Microsoft Security Bulletin MS16-109
Security Update for Silverlight (3182373)

Source: CCN
Type: Microsoft Security Bulletin MS16-111
Security Update for Windows Kernel (3186973)

Source: CCN
Type: Microsoft Security Bulletin MS16-120
Security Update for Microsoft Graphics Component (3192884)

Source: CCN
Type: Microsoft Security Bulletin MS16-121
Security Update for Microsoft Office (3194063)

Source: CCN
Type: Microsoft Security Bulletin MS16-122
Security Update for Microsoft Video Control (3195360)

Source: CCN
Type: Microsoft Security Bulletin MS16-123
Security Update for Kernel-Mode Drivers (3192892)

Source: CCN
Type: Microsoft Security Bulletin MS16-124
Security Update for Windows Registry (3193227)

Source: CCN
Type: Microsoft Security Bulletin MS16-126
Security Update for Microsoft Internet Messaging API (3196067)

Source: CCN
Type: Microsoft Security Bulletin MS16-131
Security Update for Microsoft Video Control (3199151)

Source: CCN
Type: Microsoft Security Bulletin MS16-133
Security Update for Microsoft Office (3199168)

Source: CCN
Type: Microsoft Security Bulletin MS16-139
Security Update for Windows Kernel (3199720)

Source: CCN
Type: Microsoft Security Bulletin MS16-148
Security Update for Microsoft Office (3204068)

Source: CCN
Type: Microsoft Security Bulletin MS16-155
Security Update for .NET Framework (3205640)

Source: CCN
Type: Microsoft Security Bulletin MS17-002
Security Update for Microsoft Office (3214291)

Source: CCN
Type: Microsoft Security Bulletin MS17-006
Cumulative Security Update for Internet Explorer (4013073)

Source: CCN
Type: Microsoft Security Bulletin MS17-013
Security Update for Microsoft Graphics Component (4013075)

Source: CCN
Type: Microsoft Security Bulletin MS17-014
Security Update for Microsoft Office (4013241)

Source: CCN
Type: US-CERT VU#455604
Microsoft .NET Framework contains a cross-site scripting vulnerability

Source: CERT-VN
Type: US Government Resource
VU#455604

Source: CCN
Type: Microsoft Security Bulletin MS06-056
Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure (922770)

Source: CCN
Type: Microsoft Security Bulletin MS07-040
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)

Source: CCN
Type: Microsoft Security Bulletin MS09-061
Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)

Source: CCN
Type: Microsoft Security Bulletin MS10-041
Vulnerabilities in the Microsoft .NET Framework Could Allow Tampering (981343)

Source: CCN
Type: Microsoft Security Bulletin MS10-060
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

Source: CCN
Type: Microsoft Security Bulletin MS11-044
Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814)

Source: CCN
Type: Microsoft Security Bulletin MS11-078
Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

Source: HP
Type: UNKNOWN
SSRT061264

Source: BID
Type: UNKNOWN
20337

Source: CCN
Type: BID-20337
Microsoft ASP.NET AutoPostBack Variable Cross-Site Scripting Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2006-3976

Source: MS
Type: UNKNOWN
MS06-056

Source: XF
Type: UNKNOWN
asp-http-xss(28658)

Source: XF
Type: UNKNOWN
asp-http-xss(28658)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:377

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:.net_framework:2.0:-:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:microsoft:.net_framework:2.0:-:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_xp:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:-::~~~~itanium~:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:::tablet_pc:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:::media_center:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:377
    V
    Microsoft .NET Framework 2.0 Cross-Site Scripting Vulnerability
    2007-08-02
    BACK
    microsoft .net framework 2.0
    microsoft .net framework 2.0
    microsoft windows xp - sp1
    microsoft windows 2000 - sp4
    microsoft windows 2003_server
    microsoft windows xp sp2
    microsoft windows 2003 server -
    microsoft windows xp
    microsoft windows xp
    microsoft windows 2003_server sp1
    microsoft windows 2003_server sp1_itanium