PT-2005-3576 · Postnuke · Postnuke

Published

2005-08-24

Updated

2008-09-05

CVE-2005-2690

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions PostNuke versions 0.760-RC4b

Description A SQL injection issue exists in the Downloads module, allowing administrators to execute arbitrary SQL commands. This is achieved by manipulating the show parameter in the /dl-viewdownload.php API endpoint.

Recommendations For PostNuke version 0.760-RC4b, consider restricting access to the dl-viewdownload.php endpoint until a fix is available, and avoid using the show parameter in this endpoint to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-2690

Affected Products

Postnuke

PT-2005-3576 · Postnuke · Postnuke

CVE-2005-2690

Related Identifiers

Affected Products

References · 4