PT-2007-6494 · Kwsphp · Kwsphp Newsletter Module

S4Mi

Published

2007-10-14

Updated

2017-09-29

CVE-2007-5458

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: KwsPHP newsletter module version 1.0

Description: The issue allows remote attackers to execute arbitrary SQL commands via the newsletter parameter in the index.php file when magic quotes gpc is disabled.

Recommendations: For KwsPHP newsletter module version 1.0, consider disabling the execution of SQL commands from user input until a patch is available, and enable magic quotes gpc to prevent SQL injection attacks.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2007-5458

Affected Products

Kwsphp Newsletter Module

PT-2007-6494 · Kwsphp · Kwsphp Newsletter Module

CVE-2007-5458

Weakness Enumeration

Related Identifiers

Affected Products

References · 5