Vulnerability CVE-2005-3208


Published: 2005-10-14   Modified: 2012-02-12

Description:
Multiple SQL injection vulnerabilities in (1) aeNovo, (2) aeNovoShop and (3) aeNovoWYSI allow remote attackers to execute arbitrary SQL code via (a) the password parameter in control.asp, and (b) the strSQL parameter in search.asp, which can enable XSS attacks in resulting error messages.

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Aenovo -> Aenovo 
Aenovo -> Aenovoshop 
Aenovo -> Aenovowysi 

 References:
http://xforce.iss.net/xforce/xfdb/22553
http://xforce.iss.net/xforce/xfdb/22551
http://xforce.iss.net/xforce/xfdb/22547
http://www.securityfocus.com/bid/15038
http://www.securityfocus.com/bid/15036
http://www.kapda.ir/advisory-78.html
http://secunia.com/advisories/17117/
http://marc.theaimsgroup.com/?l=bugtraq&m=112872593432359&w=2
http://www.osvdb.org/19937
http://www.osvdb.org/19936

Copyright 2021, cxsecurity.com

 

Back to Top