PT-2005-2494 · Mybloggie · Mybloggie

Alberto Trivero

Published

2005-05-11

Updated

2017-07-11

CVE-2005-1498

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions myBloggie version 2.1.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters in viewmode.php and index.php, which are not properly sanitized before being displayed in an error message. Specifically, the year parameter in viewmode.php and the cat id, month no, and post id parameters in index.php are vulnerable.

Recommendations For myBloggie version 2.1.1, consider disabling the vulnerable parameters year, cat id, month no, and post id in viewmode.php and index.php until a patch is available. Restrict access to the error messages that display these parameters to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-1498

Affected Products

Mybloggie

PT-2005-2494 · Mybloggie · Mybloggie

CVE-2005-1498

Related Identifiers

Affected Products

References · 7