Vulnerability CVE-2008-0432


Published: 2008-01-23   Modified: 2012-02-12

Description:
Cross-site scripting (XSS) vulnerability in index.php in phpAutoVideo 2.21 and earlier allows remote attackers to inject arbitrary web script or HTML via the cat parameter.

See advisories in our WLB2 database:
Topic
Author
Date
High
Agares PhpAutoVideo 2.21(XSS/RFI) Multiple Remote Vulnerabilities
HouSSaMix & ...
23.01.2008

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Agares media
Product: Phpautovideo 
Version: 2.21;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://securityreason.com/securityalert/3567
http://www.securityfocus.com/archive/1/486591/100/0/threaded
http://www.securityfocus.com/bid/27346
http://www.vupen.com/english/advisories/2008/0225
https://exchange.xforce.ibmcloud.com/vulnerabilities/39771

Related CVE
CVE-2008-6040
SQL injection vulnerability in index.php in Arcadem Pro 2.700 through 2.802 allows remote attackers to execute arbitrary SQL commands via the articlecat parameter, probably related to includes/articleblock.php.
CVE-2008-0433
PHP remote file inclusion vulnerability in theme/phpAutoVideo/LightTwoOh/sidebar.php in Agares phpAutoVideo 2.21 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the loadpage parameter, a different vector than CVE-2007-6...
CVE-2008-0262
SQL injection vulnerability in includes/articleblock.php in Agares PhpAutoVideo 2.21 allows remote attackers to execute arbitrary SQL commands via the articlecat parameter.
CVE-2007-6614
PHP remote file inclusion vulnerability in admin/frontpage_right.php in Agares Media phpAutoVideo 2.21 allows remote attackers to execute arbitrary PHP code via a URL in the loadadminpage parameter, a related issue to CVE-2007-6542.
CVE-2007-6615
Directory traversal vulnerability in includes/block.php in Agares Media phpAutoVideo 2.21 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the selected_provider parameter.
CVE-2007-6542
PHP remote file inclusion vulnerability in admin/frontpage_right.php in Arcadem LE 2.04 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the loadadminpage parameter.
CVE-2007-4551
PHP remote file inclusion vulnerability in index.php in Agares Media Arcadem 2.01 allows remote attackers to execute arbitrary PHP code via a URL in the loadpage parameter.
CVE-2007-4552
SQL injection vulnerability in index.php in Agares Media Arcadem 2.01 allows remote attackers to execute arbitrary SQL commands via the blockpage parameter. NOTE: as of 20070827, the vendor has made conflicting statements regarding whether this issu...

Copyright 2019, cxsecurity.com

 

Back to Top