PT-2011-1758 · 6Kbbs · 6Kbbs

Zym

Published

2011-07-08

Updated

2017-08-29

CVE-2010-4812

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions 6kbbs version 8.0 build 20100901

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the tids[] parameter to "ajaxadmin.php" and the msgids[] parameter to "ajaxmember.php".

Recommendations For version 8.0 build 20100901, consider restricting access to the "ajaxadmin.php" and "ajaxmember.php" API endpoints until a patch is available. As a temporary workaround, avoid using the tids[] and msgids[] parameters in the affected API endpoints.

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2010-4812

Affected Products

6Kbbs

PT-2011-1758 · 6Kbbs · 6Kbbs

CVE-2010-4812

Weakness Enumeration

Related Identifiers

Affected Products

References · 7