CVE-2006-6274 - SQL injection vulnerability in articles.asp in Expinion.net iNews (1) Publisher (iNP) 2.5 and earlie

CVE-2006-6274

Summary

SQL injection vulnerability in articles.asp in Expinion.net iNews (1) Publisher (iNP) 2.5 and earlier, and possibly (2) News Manager, allows remote attackers to execute arbitrary SQL commands via the ex parameter. NOTE: early reports of this issue reported it as XSS, but this was erroneous. The original report was for News Manager, but there is strong evidence that the correct product is Publisher.

References

Vulnerable Configurations

cpe:2.3:a:expinion.net:inews_publisher:*:*:*:*:*:*:*:*
cpe:2.3:a:expinion.net:inews_publisher:*:*:*:*:*:*:*:*
cpe:2.3:a:expinion.net:news_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:expinion.net:news_manager:*:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 17-10-2018 - 21:47)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	21296
bugtraq	20061124 [Aria-Security Team] iNews News Manager SQL Injection
misc	http://www.aria-security.com/forum/showthread.php?t=40
secunia	23123
sreason	1956
vim	20061128 [Aria-Security Team] iNews News Manager SQL Injection
vupen	ADV-2006-4707
xf	inews-articles-xss(30510)

Last major update

17-10-2018 - 21:47

Published

04-12-2006 - 11:28

Last modified

17-10-2018 - 21:47