PT-2007-3319 · Unknown+1 · Wf-Section+2

Ajann

Published

2007-04-12

Updated

2018-10-16

CVE-2007-1974

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions WF-Section (aka WF-Sections) version 1.0.1 Zmagazine version 1.0 Happy Linux XFsection versions 1.07 and earlier

Description A SQL injection issue exists in the getArticle function in class/wfsarticle.php, allowing remote attackers to execute arbitrary SQL commands via the articleid parameter to "print.php".

Recommendations For WF-Section (aka WF-Sections) version 1.0.1, avoid using the articleid parameter in the affected API endpoint until the issue is resolved. For Zmagazine version 1.0, restrict access to the vulnerable module to minimize the risk of exploitation. For Happy Linux XFsection versions 1.07 and earlier, consider disabling the getArticle function in class/wfsarticle.php as a temporary workaround until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-1974

Affected Products

Happy Linux Xfsection

Wf-Section

Zmagazine

PT-2007-3319 · Unknown+1 · Wf-Section+2

CVE-2007-1974

Related Identifiers

Affected Products

References · 20