PT-2010-3571 · Joomla · Online News Paper Manager

Published

2010-05-18

Updated

2010-05-19

CVE-2010-1950

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Online News Paper Manager (com jnewspaper) version 1.0 for Joomla!

Description The issue allows remote attackers to execute arbitrary SQL commands when magic quotes gpc is disabled. This is achieved by exploiting the date info parameter to the "index.php" endpoint.

Recommendations For version 1.0, consider disabling the date info parameter in the "index.php" endpoint until a patch is available. Restrict access to the index.php endpoint to minimize the risk of exploitation. Avoid using the date info parameter in the affected endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2010-1950

Affected Products

Online News Paper Manager

PT-2010-3571 · Joomla · Online News Paper Manager

CVE-2010-1950

Weakness Enumeration

Related Identifiers

Affected Products

References · 3