[VIM] CVE-2006-2823

Steven M. Christey coley at linus.mitre.org
Thu Jun 8 15:01:54 EDT 2006


On Thu, 8 Jun 2006, Stuart Moore wrote:

> Hi.  The recently reported "new bug" in a.shopKart 2.0 [assigned
> CVE-2006-2823] is actually an old bug reported by CyberTalon back in
> March 2004:
>
> http://securitytracker.com/id?1009549
>
> It appears that there is no 2004-year CVE number assigned.

Agreed.

> Should the new CVE number be applied to the old report?

Yes.  Aesthetically it should have come out with a 2004 number, but we
missed that this was a rediscovery.

Thanks for pointing this out!  Updated CVE-2006-2823 below.

- Steve

======================================================
Name: CVE-2006-2823
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2823
Reference: BUGTRAQ:20060602 new bug
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/435746/100/0/threaded
Reference: FRSIRT:ADV-2006-2208
Reference: URL:http://www.frsirt.com/english/advisories/2006/2208
Reference: SECTRACK:1009549
Reference: URL:http://securitytracker.com/id?1009549
Reference: SECUNIA:20485
Reference: URL:http://secunia.com/advisories/20485
Reference: XF:ashopkart-database-file-access(15599)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15599

Katrien De Graeve a.shopKart 2.0 (aka ashopKart20) stores sensitive
information under the web root with insufficient access control, which
allows remote attackers to download a database via a direct request
for (1) admin/scart.mdb and possibly (2) admin/scart97.mdb.




More information about the VIM mailing list