Vulnerability Name:

CVE-2007-2306 (CCN-33647)

Assigned:2007-04-13
Published:2007-04-13
Updated:2018-10-16
Summary:Multiple cross-site scripting (XSS) vulnerabilities in the Virtual War (VWar) 1.5.0 R15 and earlier module for PHP-Nuke, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) memberlist parameter to extra/login.php and the (2) title parameter to extra/today.php.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.8 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: BugTraq Mailing List, Fri Apr 13 2007 - 11:01:13 CDT
[waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke

Source: MITRE
Type: CNA
CVE-2007-2306

Source: CCN
Type: SA24887
PHP-Nuke vWar Module SQL Injection and Cross-Site Scripting

Source: SREASON
Type: UNKNOWN
2642

Source: CCN
Type: OSVDB ID: 36573
vWar Module for PHP-Nuke extra/today.php title Parameter XSS

Source: CCN
Type: OSVDB ID: 36574
vWar Module for PHP-Nuke extra/login.php memberlist Parameter XSS

Source: CCN
Type: OSVDB ID: 39365
Virtual War (VWar) extra/login.php memberlist Parameter XSS

Source: CCN
Type: OSVDB ID: 39367
Virtual War (VWar) extra/today.php title Parameter XSS

Source: BUGTRAQ
Type: UNKNOWN
20070413 [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke

Source: BID
Type: UNKNOWN
23478

Source: CCN
Type: BID-23478
VWar Multiple Cross Site Scripting Vulnerabilities

Source: CCN
Type: Virtual War (vWar) Web site
VWar - Virtual War

Source: MISC
Type: Exploit
http://www.waraxe.us/advisory-48.html

Source: XF
Type: UNKNOWN
virtualwar-login-today-xss(33647)

Source: XF
Type: UNKNOWN
vwar-login-today-xss(33647)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vwar:virtual_war:*:*:*:*:*:*:*:* (Version <= 1.5.0_r15)

    • * Denotes that component is vulnerable
    BACK
    vwar virtual war *