Vulnerability CVE-2006-4601


Published: 2006-09-06   Modified: 2012-02-12

Description:
SQL injection vulnerability in index.php in Annuaire 1Two 2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Annuaire 1Two 2.2 Remote SQL Injection Exploit
DarkFig
08.09.2006

Type:

CWE-Other

Vendor: Annuaire
Product: 1TWO 
Version: 2.2;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://acid-root.new.fr/poc/09060902.txt
http://securityreason.com/securityalert/1496
http://www.securityfocus.com/archive/1/445010/100/0/threaded
http://www.securityfocus.com/bid/19817
http://www.vupen.com/english/advisories/2006/3440
https://exchange.xforce.ibmcloud.com/vulnerabilities/28730

Related CVE
CVE-2006-1433
Annuaire (Directory) 1.0 allows remote attackers to obtain sensitive information via a direct request to include/lang-en.php, which reveals the full installation path.
CVE-2006-1434
Cross-site scripting (XSS) vulnerability in inscription.php in Annuaire (Directory) 1.0 allows remote attackers to inject arbitrary web script or HTML via the Comment Field (COMMENTAIRE parameter).
CVE-2005-1975
Multiple cross-site scripting (XSS) vulnerabilities in Annuaire 1Two 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the id parameter to index.php, or the (2) site_id, (3) nom, (4) email, or (5) commentaire param...

Copyright 2019, cxsecurity.com

 

Back to Top