CVE-2006-3092 - PhpMyFactures 1.2 and earlier allows remote attackers to bypass authentication and modify data via d

CVE-2006-3092

Summary

PhpMyFactures 1.2 and earlier allows remote attackers to bypass authentication and modify data via direct requests with modified parameters to (1) /tva/ajouter_tva.php, (2) /remises/ajouter_remise.php, (3) /pays/ajouter_pays.php, (4) /pays/modifier_pays.php, (5) /produits/ajouter_cat.php, (6) /produits/ajouter_produit.php, (7) /clients/ajouter_client.php, (8) /clients/modifier_client.php. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information.

References

Vulnerable Configurations

cpe:2.3:a:phpmyfactures:phpmyfactures:1.0:*:*:*:*:*:*:*
cpe:2.3:a:phpmyfactures:phpmyfactures:1.0:*:*:*:*:*:*:*
cpe:2.3:a:phpmyfactures:phpmyfactures:*:*:*:*:*:*:*:*
cpe:2.3:a:phpmyfactures:phpmyfactures:*:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 18-10-2018 - 16:45)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bugtraq	20060610 PhpMyFactures 1.0 Cross Site Scripting, SQL Injection, Full Path Disclosure and others
misc	http://www.acid-root.new.fr/advisories/phpmyfactures.txt
osvdb	26477
secunia	20642
sreason	1111
xf	phpmyfactures-multiple-data-manipulation(27206)

Last major update

18-10-2018 - 16:45

Published

19-06-2006 - 21:02

Last modified

18-10-2018 - 16:45