PT-2009-1760 · Active Newsletter · Active Newsletter
R3D-D3V!L
·
Publicado
2009-02-25
·
Atualizado
2017-09-29
·
CVE-2008-6286
CVSS v2.0
7.5
Alta
| Vetor | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions:
Active Newsletter version 4.3
Description:
The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the
email parameter or the password parameter in SubscriberStart.asp, which can lead to unauthorized access to the database. The attack can be directed to either Subscriber.asp or start.asp.Recommendations:
For Active Newsletter version 4.3, consider restricting access to the SubscriberStart.asp page until a fix is available. As a temporary workaround, avoid using the
email and password parameters in the vulnerable page to minimize the risk of exploitation.Exploit
Correção
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Active Newsletter