PT-2007-4310 · General Networks · Activeweb
Published
2007-07-15
·
Updated
2018-10-16
·
CVE-2007-3013
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions:
activeWeb contentserver versions prior to 5.6.2964
Description:
The issue allows remote authenticated users with edit permission to execute arbitrary SQL commands. This can be achieved via the
id parameter to the "admin/picture/picture real edit.asp" API endpoint, and possibly other unspecified vectors.Recommendations:
For versions prior to 5.6.2964, update to version 5.6.2964 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/picture/picture real edit.asp" endpoint and limiting the use of the
id parameter to minimize the risk of exploitation.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Activeweb