Vulnerability CVE-2005-2473
Published: 2005-08-05   Modified: 2012-02-12

Description:
Multiple SQL injection vulnerabilities in ChurchInfo allow remote attackers to execute arbitrary SQL commands via the PersonID parameter to (1) PersonView.php, (2) MemberRoleChange.php, (3) PropertyAssign.php, (4) WhyCameEditor.php, (5) GroupPropsEditor.php, (6) Reports/PDFLabel.php, or (7) UserDelete.php, (8) DepositSlipID parameter to DepositSlipEditor.php, (9) QueryID parameter to QueryView.php, GroupID parameter to (10) GroupView.php, (11) GroupMemberList.php, (12) MemberRoleChange.php, (13) GroupDelete.php, (14) /Reports/ClassAttendance.php, or (15) /Reports/GroupReport.php, (16) PropertyID parameter to PropertyEditor.php, FamilyID parameter to (17) Canvas05Editor.php, (18) CanvasEditor.php, or (19) FamilyView.php, or (20) PledgeID parameter to PledgeDetails.php.

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Churchinfo -> Churchinfo 

 References:
http://xforce.iss.net/xforce/xfdb/21647
http://www.securityfocus.com/bid/14438
http://www.osvdb.org/18428
http://www.osvdb.org/18427
http://www.osvdb.org/18424
http://www.osvdb.org/18423
http://www.osvdb.org/18422
http://www.osvdb.org/18421
http://www.osvdb.org/18420
http://www.osvdb.org/18419
http://www.osvdb.org/18418
http://www.osvdb.org/18417
http://www.osvdb.org/18416
http://www.osvdb.org/18415
http://www.osvdb.org/18414
http://www.osvdb.org/18413
http://www.osvdb.org/18412
http://www.osvdb.org/18411
http://www.osvdb.org/18410
http://www.osvdb.org/18409
http://www.osvdb.org/18408
http://securitytracker.com/id?1014617
http://secunia.com/advisories/16292
http://marc.theaimsgroup.com/?l=bugtraq&m=112291550713546&w=2
Copyright 2024, cxsecurity.com

 

Back to Top