CVE-2012-1603

Sažetak

Multiple SQL injection vulnerabilities in ajaxserver.php in NextBBS 0.6 allow remote attackers to execute arbitrary SQL commands via the (1) curstr parameter in the findUsers function, (2) id parameter in the isIdAvailable function, or (3) username parameter in the getGreetings function.

Reference

http://archives.neohapsis.com/archives/bugtraq/2012-03/0135.html
http://packetstormsecurity.org/files/111250/NextBBS-0.6.0-Authentication-Bypass-SQL-Injection-XSS.html
http://www.openwall.com/lists/oss-security/2012/03/29/8
http://www.openwall.com/lists/oss-security/2012/03/30/2
http://www.osvdb.org/80637
http://www.securityfocus.com/bid/52728
http://www.waraxe.us/advisory-80.html

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

02-10-2012 - 20:05

Objavljeno

01-10-2012 - 23:55