CVE-2006-3135 - Multiple SQL injection vulnerabilities in CMS Mundo 1.0 build 008, and possibly other versions, allo

CVE-2006-3135

Summary

Multiple SQL injection vulnerabilities in CMS Mundo 1.0 build 008, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter in the (a) news module, (2) searchstring parameter in (b) the search module, (3) id parameter in (c) the webshop module, (4) username parameter in (d) index.php, and (5) Name, (6) Address, (7) Zip, (8) City, (9) Country, and (10) Email fields during (e) a user profile update.

References

Vulnerable Configurations

cpe:2.3:a:hotwebscripts:cms_mundo:1.0_build_008:*:*:*:*:*:*:*
cpe:2.3:a:hotwebscripts:cms_mundo:1.0_build_008:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 20-07-2017 - 01:32)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

misc	http://secunia.com/secunia_research/2006-52/advisory/
osvdb	27139 27140 27141 27142 27143
secunia	20589
sreason	1236
vupen	ADV-2006-2783
xf	cmsmundo-index-sql-injection(27712)

Last major update

20-07-2017 - 01:32

Published

13-07-2006 - 21:05

Last modified

20-07-2017 - 01:32