PT-2006-2535 · Null News · Null News

Aliaksandr Hartsuyeu

Published

2006-03-30

Updated

2018-10-18

CVE-2006-1534

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Null news (affected versions not specified)

Description: The issue concerns multiple SQL injection vulnerabilities. These vulnerabilities allow remote attackers to execute arbitrary SQL commands. The vulnerabilities are found in the user email parameter in lostpass.php, and in the user email and user username parameters in sub.php and unsub.php.

Recommendations: For Null news, consider restricting access to the lostpass.php, sub.php, and unsub.php scripts until a fix is available. As a temporary workaround, avoid using the user email and user username parameters in the affected scripts. Restrict input for the user email and user username parameters to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-1534

Affected Products

Null News

PT-2006-2535 · Null News · Null News

CVE-2006-1534

Related Identifiers

Affected Products

References · 11