CVE-2006-3366
CVE-2006-3366 is a low-severity vulnerability in V3 Chat with a CVSS 2.0 base score of 2.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Low (CVSS 2.0 base score 2.6)
- EPSS exploit prediction: 2% (76th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: V3 Chat
- Published:
- Last modified:
Description
Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".
Frequently asked questions
- What is CVE-2006-3366?
- Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".
- How severe is CVE-2006-3366?
- CVE-2006-3366 has a CVSS 2.0 base score of 2.6, rated low severity.
- Is CVE-2006-3366 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (76th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2006-3366?
- CVE-2006-3366 affects V3 Chat. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2006-3366?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2006-3366 published?
- CVE-2006-3366 was published on 2006-07-06 and last updated on 2026-06-16.
References
- http://securitytracker.com/id?1016340
- http://www.securityfocus.com/archive/1/437755/100/200/threaded
- http://www.securityfocus.com/archive/1/438069/100/200/threaded
- http://www.securityfocus.com/bid/18543
- http://www.vupen.com/english/advisories/2006/2474
Affected products (1)
- cpe:2.3:a:v3_chat:v3_chat:beta:*:*:*:*:*:*:*
More vulnerabilities in V3 Chat
- CVE-2006-3365 — Low (CVSS 2.6): V3 Chat allows remote attackers to obtain the installation path via (1) an invalid id parameter to mail/index.php or…