ID CVE-2005-3236
Summary Multiple SQL injection vulnerabilities in Cyphor 0.19 allow remote attackers to execute arbitrary SQL and obtain administrative access via (1) the fid parameter of newmsg.php, which can enable XSS attacks when the SQL syntax is invalid or (2) the nick parameter of lostpwd.php.
References
Vulnerable Configurations
  • cpe:2.3:a:cynox:cyphor:0.19:*:*:*:*:*:*:*
    cpe:2.3:a:cynox:cyphor:0.19:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 11-07-2017 - 01:33)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
refmap via4
bid 15047
bugtraq 20051008 Cyphor 0.19 SQL Injection / Board takeover / cross site scripting
osvdb
  • 19943
  • 19944
  • 19945
sectrack 1015020
secunia 17104
sreason 70
xf cyphor-lostpwd-newmsg-sql-injection(22552)
Last major update 11-07-2017 - 01:33
Published 14-10-2005 - 10:02
Last modified 11-07-2017 - 01:33
Back to Top