PT-2006-2611 · Awebnews · Awebnews

Aliaksandr Hartsuyeu

Published

2006-04-04

Updated

2018-10-18

CVE-2006-1613

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions: aWebNews version 1.0

Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the user123 variable in login.php or fpass.php, or the cid parameter to visview.php.

Recommendations: For aWebNews version 1.0, consider restricting access to the vulnerable API endpoints, such as "login.php" and "fpass.php", and avoid using the user123 variable and cid parameter in "visview.php" until a fix is available. As a temporary workaround, consider implementing input validation and sanitization for the user123 variable and cid parameter to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-1613

Affected Products

Awebnews

PT-2006-2611 · Awebnews · Awebnews

CVE-2006-1613

Related Identifiers

Affected Products

References · 10