Vulnerability CVE-2006-4757


Published: 2006-09-13   Modified: 2012-02-12

Description:
Multiple SQL injection vulnerabilities in the admin section in e107 0.7.5 allow remote authenticated administrative users to execute arbitrary SQL commands via the (1) linkopentype, (2) linkrender, (3) link_class, and (4) link_id parameters in (a) links.php; the (5) searchquery parameter in (b) users.php; and the (6) download_category_class parameter in (c) download.php. NOTE: an e107 developer has disputed the significance of the vulnerability, stating that "If your admins are injecting you, you might want to reconsider their access."

See advisories in our WLB2 database:
Topic
Author
Date
Low
Sql injections in e107 [Admin section]
Omid
18.09.2006

Type:

CWE-Other

CVSS2 => (AV:N/AC:H/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Remote
High
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
E107 -> E107 

 References:
http://e107.org/e107_plugins/bugtrack/bugtrack.php?id=3195&action=show
http://securityreason.com/securityalert/1569
http://www.securityfocus.com/archive/1/445005/100/100/threaded

Copyright 2024, cxsecurity.com

 

Back to Top