Vulnerability CVE-2008-7091

Vulnerability CVE-2008-7091

Published: 2009-08-26 Modified: 2012-02-12

Description:

Multiple SQL injection vulnerabilities in Pligg 9.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to vote.php, which is not properly handled in libs/link.php; (2) id parameter to trackback.php; (3) an unspecified parameter to submit.php; (4) requestTitle variable in a query to story.php; (5) requestID and (6) requestTitle variables in recommend.php; (7) categoryID parameter to cloud.php; (8) title parameter to out.php; (9) username parameter to login.php; (10) id parameter to cvote.php; and (11) commentid parameter to edit.php.

See advisories in our WLB2 database:

	Topic	Author	Date
High	Pligg <= 9.9.0 Multiple Vulnerabilities	GulfTech Securit...	02.08.2008

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.5/10	6.4/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Pligg -> Pligg cms

References:

http://www.gulftech.org/?node=research&article_id=00120-07312008

http://www.securityfocus.com/archive/1/494987/100/0/threaded

http://www.securityfocus.com/bid/30458

https://exchange.xforce.ibmcloud.com/vulnerabilities/44193

https://www.exploit-db.com/exploits/6173

Copyright 2024, cxsecurity.com