PT-2010-4350 · Unknown · Event Horizon

Published

2010-07-23

Updated

2010-07-29

CVE-2010-2855

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Event Horizon (EVH) version 1.1.10

Description The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in the modfile.php file, specifically when the magic quotes gpc setting is disabled. The vulnerable parameters are YourEmail and VerificationNumber.

Recommendations For Event Horizon (EVH) version 1.1.10, consider disabling the modfile.php file or restricting access to it until a fix is available. As a temporary workaround, enable the magic quotes gpc setting to prevent SQL injection attacks via the YourEmail and VerificationNumber parameters.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2010-2855

Affected Products

Event Horizon

PT-2010-4350 · Unknown · Event Horizon

CVE-2010-2855

Weakness Enumeration

Related Identifiers

Affected Products

References · 3