CVE-2002-1499 - Multiple SQL injection vulnerabilities in FactoSystem CMS allows remote attackers to perform unautho

CVE-2002-1499

Summary

Multiple SQL injection vulnerabilities in FactoSystem CMS allows remote attackers to perform unauthorized database actions via (1) the authornumber parameter in author.asp, (2) the discussblurbid parameter in discuss.asp, (3) the name parameter in holdcomment.asp, and (4) the email parameter in holdcomment.asp.

References

Vulnerable Configurations

cpe:2.3:a:factosystem:factosystem_weblog:0.9b:*:*:*:*:*:*:*
cpe:2.3:a:factosystem:factosystem_weblog:0.9b:*:*:*:*:*:*:*
cpe:2.3:a:factosystem:factosystem_weblog:1.0_beta:*:*:*:*:*:*:*
cpe:2.3:a:factosystem:factosystem_weblog:1.0_beta:*:*:*:*:*:*:*
cpe:2.3:a:factosystem:factosystem_weblog:1.1_beta:*:*:*:*:*:*:*
cpe:2.3:a:factosystem:factosystem_weblog:1.1_beta:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 05-09-2008 - 20:30)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	5600
bugtraq	20020831 FactoSystem CMS Contains Multiple Vulnerabilities
misc	http://sourceforge.net/tracker/index.php?func=detail&aid=602711&group_id=12668&atid=112668
vulnwatch	20020830 FactoSystem CMS Contains Multiple Vulnerabilities
xf	factosystem-asp-sql-injection(10000)

Last major update

05-09-2008 - 20:30

Published

02-04-2003 - 05:00

Last modified

05-09-2008 - 20:30