PT-2009-4817 · Usolved · Newsolved

Lama

Published

2009-07-09

Updated

2017-09-19

CVE-2009-2389

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions USOLVED NEWSolved version 1.1.6

Description The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities in the newsscript.php file when magic quotes gpc is disabled. This can be achieved via the jahr or idneu parameter in an archive action, or the newsid parameter.

Recommendations For USOLVED NEWSolved version 1.1.6, consider disabling the archive action or restricting access to the newsscript.php file until a patch is available. Additionally, enabling magic quotes gpc can help mitigate the risk of SQL injection attacks. Avoid using the jahr, idneu, and newsid parameters in the affected API endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2009-2389

Affected Products

Newsolved

PT-2009-4817 · Usolved · Newsolved

CVE-2009-2389

Weakness Enumeration

Related Identifiers

Affected Products

References · 4