Vulnerability CVE-2005-4606


Published: 2005-12-31   Modified: 2012-02-12

Description:
SQL injection vulnerability in check_user.asp in multiple Web Wiz products including (1) Site News 3.06 and earlier, (2) Journal 1.0 and earlier, (3) Polls 3.06 and earlier, and (4) and Database Login 1.71 and earlier allows remote attackers to execute arbitrary SQL commands via the txtUserName parameter.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
WebWiz Products SQL Injection
devil_box
30.12.2005

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Webwiz -> Database login 
Webwiz -> Journal 
Webwiz -> Site news 
Webwiz -> Weekly poll 

 References:
http://securityreason.com/securityalert/305
http://www.securityfocus.com/archive/1/420551/100/0/threaded
http://www.securityfocus.com/bid/16085
http://www.vupen.com/english/advisories/2006/0007

Copyright 2024, cxsecurity.com

 

Back to Top