CVE-2006-5190

CVE-2006-5190 is a medium-severity vulnerability in Oscommerce with a CVSS 2.0 base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.

Key facts

Description

Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php.

Frequently asked questions

What is CVE-2006-5190?
Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php.
How severe is CVE-2006-5190?
CVE-2006-5190 has a CVSS 2.0 base score of 4.3, rated medium severity.
Is CVE-2006-5190 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 7% (93rd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2006-5190?
CVE-2006-5190 primarily affects Oscommerce. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2006-5190?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2006-5190 published?
CVE-2006-5190 was published on 2006-10-10 and last updated on 2026-06-16.

References

Affected products (11)

More vulnerabilities in Oscommerce

All CVEs affecting Oscommerce →