CVE-2005-4224

Sažetak

Multiple "potential" SQL injection vulnerabilities in e107 0.7 might allow remote attackers to execute arbitrary SQL commands via (1) the email, hideemail, image, realname, signature, timezone, and xupexist parameters in signup.php, (2) the content_comment, content_rating, and content_summary parameters in subcontent.php, (3) the download_category and file_demo in upload.php, and (4) the email, hideemail, user_timezone, and user_xup parameters in usersettings.php.

Reference

http://glide.stanford.edu/yichen/research/sec.pdf
http://secunia.com/advisories/18023/
http://www.osvdb.org/21657
http://www.osvdb.org/21658
http://www.osvdb.org/21659
http://www.osvdb.org/21660
http://www.securityfocus.com/archive/1/419280/100/0/threaded
http://www.securityfocus.com/archive/1/419487/100/0/threaded
http://www.vupen.com/english/advisories/2005/2861

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

19-10-2018 - 15:40

Objavljeno

14-12-2005 - 11:03