{"api_version":"1","generated_at":"2026-04-23T04:09:26+00:00","cve":"CVE-2006-7236","urls":{"html":"https://cve.report/CVE-2006-7236","api":"https://cve.report/api/cve/CVE-2006-7236.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2006-7236","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2006-7236"},"summary":{"title":"CVE-2006-7236","description":"The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences.","state":"PUBLISHED","assigner":"mitre","published_at":"2009-01-02 18:11:09","updated_at":"2026-04-23 00:35:47"},"problem_types":["CWE-16","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"9.3","severity":"","vector":"AV:N/AC:M/Au:N/C:C/I:C/A:C","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","baseScore":9.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"}}],"references":[{"url":"http://secunia.com/advisories/33388","name":"http://secunia.com/advisories/33388","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Ubuntu update for xterm - Secunia Advisories - Vulnerability Information - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/703-1/","name":"https://usn.ubuntu.com/703-1/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"USN-703-1: xterm vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030","name":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"#510030 - [CVE-2008-2383] xterm: DECRQSS and comments - Debian Bug report logs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384593","name":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384593","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"#384593 - xterm: allowWindowOps should be disabled by default - Debian Bug report logs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2006-7236","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-7236","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2006","cve_id":"7236","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2006","cve_id":"7236","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"invisible-island","cpe5":"xterm","cpe6":"_nil_","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2006","cve_id":"7236","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"ubuntu","cpe5":"linux","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[{"cvename":"CVE-2006-7236","organization":"Red Hat","lastmodified":"2009-01-21","contributor":"Tomas Hoger","statementText":"Not vulnerable. This issue did not affect the versions of the xterm package, as shipped with Red Hat Enterprise Linux 3, 4, and 5, and the version of the XFree86 (providing xterm) and hanterm-xf packages, as shipped with Red Hat Enterprise Linux 2.1.","cve_year":"2006","cve_id":"7236","crc32":"10d91082"}],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-07T20:57:40.715Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"33388","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/33388"},{"name":"USN-703-1","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/703-1/"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384593"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2006-09-05T00:00:00.000Z","descriptions":[{"lang":"en","value":"The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2018-10-03T20:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"33388","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/33388"},{"name":"USN-703-1","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/703-1/"},{"tags":["x_refsource_CONFIRM"],"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030"},{"tags":["x_refsource_CONFIRM"],"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384593"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2006-7236","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"33388","refsource":"SECUNIA","url":"http://secunia.com/advisories/33388"},{"name":"USN-703-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/703-1/"},{"name":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030","refsource":"CONFIRM","url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030"},{"name":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384593","refsource":"CONFIRM","url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384593"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2006-7236","datePublished":"2009-01-02T18:00:00.000Z","dateReserved":"2009-01-02T00:00:00.000Z","dateUpdated":"2024-08-07T20:57:40.715Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2009-01-02 18:11:09","lastModifiedDate":"2026-04-23 00:35:47","problem_types":["CWE-16","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","baseScore":9.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":true,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:invisible-island:xterm:_nil_:*:*:*:*:*:*:*","matchCriteriaId":"BE291BE0-5A80-4D58-BF1F-1A7089D2471E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*","matchCriteriaId":"4C8919F1-CD33-437E-9627-69352B276BA3"},{"vulnerable":false,"criteria":"cpe:2.3:o:ubuntu:linux:*:*:*:*:*:*:*:*","matchCriteriaId":"84BB6CD8-43ED-4998-8D68-6934B93EA833"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2006","CveId":"7236","Ordinal":"1","Title":"CVE-2006-7236","CVE":"CVE-2006-7236","Year":"2006"},"notes":[{"CveYear":"2006","CveId":"7236","Ordinal":"1","NoteData":"The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences.","Type":"Description","Title":"CVE-2006-7236"},{"CveYear":"2006","CveId":"7236","Ordinal":"2","NoteData":"2009-01-02","Type":"Other","Title":"Published"},{"CveYear":"2006","CveId":"7236","Ordinal":"3","NoteData":"2018-10-03","Type":"Other","Title":"Modified"}]}}}