CVE-2006-6274

Name of the Vulnerable Software and Affected Versions Expinion.net iNews (iNP) Publisher versions 2.5 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands via the ex parameter in the articles.asp file. Initial reports incorrectly identified this as a cross-site scripting (XSS) issue, but it was later determined to be a SQL injection vulnerability. The vulnerability was initially reported for News Manager, but evidence suggests that the correct affected product is Publisher.

Recommendations For versions 2.5 and earlier, consider restricting access to the articles.asp file until a fix is available. As a temporary workaround, avoid using the ex parameter in the articles.asp file to minimize the risk of exploitation.