PT-2009-1760 · Active Newsletter · Active Newsletter

R3D-D3V!L

Published

2009-02-25

Updated

2017-09-29

CVE-2008-6286

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Active Newsletter version 4.3

Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the email parameter or the password parameter in SubscriberStart.asp, which can lead to unauthorized access to the database. The attack can be directed to either Subscriber.asp or start.asp.

Recommendations: For Active Newsletter version 4.3, consider restricting access to the SubscriberStart.asp page until a fix is available. As a temporary workaround, avoid using the email and password parameters in the vulnerable page to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2008-6286

Affected Products

Active Newsletter

PT-2009-1760 · Active Newsletter · Active Newsletter

CVE-2008-6286

Weakness Enumeration

Related Identifiers

Affected Products

References · 4