PT-2005-3578 · Runcms · Runcms

Published

2005-08-24

Updated

2008-09-05

CVE-2005-2692

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions RunCMS versions 1.2 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the addquery and subquery parameters to the newbb plus module, the forum parameter to newtopic.php, edit.php, or reply.php in the newbb plus module, or the msg id parameter to print.php in the messages module.

Recommendations For RunCMS versions 1.2 and earlier, as a temporary workaround, consider restricting access to the newbb plus module and the messages module until a patch is available. Avoid using the addquery, subquery, forum, and msg id parameters in the affected API endpoints until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-2692

Affected Products

Runcms

PT-2005-3578 · Runcms · Runcms

CVE-2005-2692

Related Identifiers

Affected Products

References · 4