CVE-2006-5451 - Unsinewing Precision
Description
Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) action (2) file and (3) users array variables in (a) admin.php which are not properly handled when the administrator views the Activity Log; and the (4) torrent parameter as used by the displayName variable in (b) startpop.php different vectors than CVE-2006-5227.
Reference
http://www.stevenroddis.com.au/2006/10/13/torrentflux-startpopphp-torrent-script-insertion/ http://www.stevenroddis.com.au/2006/10/17/torrentflux-action-script-insertion/ http://www.stevenroddis.com.au/2006/10/17/torrentflux-file-script-insertion/ http://www.stevenroddis.com.au/2006/10/17/torrentflux-user_id-script-insertion/ http://www.securityfocus.com/bid/20534 http://secunia.com/advisories/22384 http://www.vupen.com/english/advisories/2006/4043 https://exchange.xforce.ibmcloud.com/vulnerabilities/29592 http://www.securityfocus.com/archive/1/448952/100/0/threaded http://www.securityfocus.com/archive/1/448948/100/0/threaded http://www.securityfocus.com/archive/1/448947/100/0/threaded http://www.securityfocus.com/archive/1/448619/100/100/threaded