Vulnerability CVE-2013-7289


Published: 2014-01-10

Description:
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Andy's PHP Knowledgebase (Aphpkb) before 0.95.8 allow remote attackers to inject arbitrary web script or HTML via the (1) first_name, (2) last_name, (3) email, or (4) username parameter.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Aphpkb
Product: Aphpkb 
Version:
0.95.7
0.95.6
0.95.5
0.95.4
0.95.3
0.95.2
0.95.1
0.95
0.94.9
0.94.8
0.94.7
0.94.6
0.94.5
0.94.4
0.94.3
0.94.2
0.94.1
0.93.9
0.93.8
0.93.7
0.93.6
0.93.5
0.93.4
0.93.3
0.93.2
0.93.1
0.92.9
0.92.8
0.92.7
0.92.6
0.92.5
0.92.4
0.92.3
0.92.2
0.92.1
0.92
0.91
0.9
0.89
0.88.8
0.88.7
0.88.6
0.88.5
0.88
0.87
0.86
0.85
0.84
0.83
0.82
0.81
0.80
0.79
0.78
0.77
0.76
0.75
0.74
0.73
0.72
0.71
0.70
0.67
0.66
0.65
0.64
0.63
0.62
0.61
0.6
0.59
0.58
0.57
0.56
0.55
0.54
0.53
0.52
0.51
0.5
0.45
0.44
0.43
0.42
0.41
0.4
0.39
0.38
0.371
0.361
0.35
0.33
0.31
0.3
0.21
0.2
0.1

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://aphpkb.blogspot.dk/2013/12/release-of-aphpkb-0958.html
http://sourceforge.net/p/aphpkb/code/91
http://secunia.com/advisories/56228
http://osvdb.org/101466

Related CVE
CVE-2013-7277
Multiple cross-site scripting (XSS) vulnerabilities in Andy's PHP Knowledgebase (Aphpkb) before 0.95.8 allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP Referer header to saa.php, (2) username parameter to login.php, or (...
CVE-2011-1556
SQL injection vulnerability in plugins/pdfClasses/pdfgen.php in Andy's PHP Knowledgebase (Aphpkb) 0.95.4 allows remote attackers to execute arbitrary SQL commands via the pdfa parameter.
CVE-2011-1555
SQL injection vulnerability in saa.php in Andy's PHP Knowledgebase (Aphpkb) 0.95.3 and earlier allows remote attackers to execute arbitrary SQL commands via the aid parameter, a different vulnerability than CVE-2011-1546. NOTE: some of these details...
CVE-2011-1546
Multiple SQL injection vulnerabilities in Andy's PHP Knowledgebase (Aphpkb) before 0.95.3 allow remote attackers to execute arbitrary SQL commands via the s parameter to (1) a_viewusers.php or (2) keysearch.php; and allow remote authenticated adminis...
CVE-2008-6513
Unrestricted file upload vulnerability in saa.php in Andy's PHP Knowledgebase (aphpkb) 0.92.9 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a link that is listed by authors.p...

Copyright 2019, cxsecurity.com

 

Back to Top