Web application abuses : Xataface WebAuction and Xataface Librarian DB Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.801981

Categoría: Web application abuses

Título: Xataface WebAuction and Xataface Librarian DB Multiple Vulnerabilities

Resumen: Xataface WebAuction/Librarian DB is prone to multiple vulnerabilities.

Descripción: Summary:
Xataface WebAuction/Librarian DB is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to input passed to the,

- '-action' parameter in 'index.php' is not properly verified. This can be
exploited to read complete installation path.

- 'list&-table' and '-action' parameter in 'index.php' page is not properly
verified before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL queries.

- '-action' and 'list&-table' parameter in 'index.php' page is not properly
verified before it is returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.

- 'list&-lang' and '-table' parameter in 'index.php' page is not properly
verified before it is returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.

- 'list&-lang' parameter in 'index.php' is not properly verified before
using it to include files. This can be exploited to include arbitrary
files from external and local resources.

Vulnerability Impact:
Successful exploitation could allow an attacker to execute
arbitrary HTML code in a user's browser session in the context of a vulnerable
application or to manipulate SQL queries by injecting arbitrary SQL code or to
include arbitrary files from external and local resources.

Affected Software/OS:
Xataface WebAuction Version 0.3.6 and prior.

Xataface Librarian DB version 0.2 and prior.

Solution:
No known solution was made available for at least one year since the disclosure
of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Copyright Copyright (C) 2011 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.801981
Categoría:	Web application abuses
Título:	Xataface WebAuction and Xataface Librarian DB Multiple Vulnerabilities
Resumen:	Xataface WebAuction/Librarian DB is prone to multiple vulnerabilities.
Descripción:	Summary: Xataface WebAuction/Librarian DB is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to input passed to the, - '-action' parameter in 'index.php' is not properly verified. This can be exploited to read complete installation path. - 'list&-table' and '-action' parameter in 'index.php' page is not properly verified before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL queries. - '-action' and 'list&-table' parameter in 'index.php' page is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. - 'list&-lang' and '-table' parameter in 'index.php' page is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. - 'list&-lang' parameter in 'index.php' is not properly verified before using it to include files. This can be exploited to include arbitrary files from external and local resources. Vulnerability Impact: Successful exploitation could allow an attacker to execute arbitrary HTML code in a user's browser session in the context of a vulnerable application or to manipulate SQL queries by injecting arbitrary SQL code or to include arbitrary files from external and local resources. Affected Software/OS: Xataface WebAuction Version 0.3.6 and prior. Xataface Librarian DB version 0.2 and prior. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Copyright	Copyright (C) 2011 Greenbone AG