CVE-2006-0444

Sažetak

SQL injection vulnerability in index.php in Phpclanwebsite (aka PCW) 1.23.1 allows remote attackers to execute arbitrary SQL commands via the (1) par parameter in the post function on the forum page and possibly the (2) poll_id parameter on the poll page. NOTE: the poll_id vector can also allow resultant cross-site scripting (XSS) from an unquoted error message for invalid SQL syntax.

Reference

http://secunia.com/advisories/18597
http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt
http://www.osvdb.org/22720
http://www.osvdb.org/22722
http://www.securityfocus.com/archive/1/423145/100/0/threaded
http://www.securityfocus.com/bid/16391
http://www.vupen.com/english/advisories/2006/0342
https://exchange.xforce.ibmcloud.com/vulnerabilities/24355

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

19-10-2018 - 15:44

Objavljeno

26-01-2006 - 22:03