CVE-2006-5908 - Multiple SQL injection vulnerabilities in the login_user function in yans.func.php in Lucas Rodrigue

CVE-2006-5908

Summary

Multiple SQL injection vulnerabilities in the login_user function in yans.func.php in Lucas Rodriguez San Pedro Yet Another News System (YANS) 0.2b allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter.

References

http://archives.neohapsis.com/archives/bugtraq/2006-11/0121.html
http://securityreason.com/securityalert/1866
http://www.securityfocus.com/bid/20963
https://exchange.xforce.ibmcloud.com/vulnerabilities/30119

Vulnerable Configurations

cpe:2.3:a:lucas_rodriguez_san_pedro:yet_another_news_system:0.2b:*:*:*:*:*:*:*
cpe:2.3:a:lucas_rodriguez_san_pedro:yet_another_news_system:0.2b:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 20-07-2017 - 01:34)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	20963
bugtraq	20061108 Y.A.N.S sql injection
sreason	1866
xf	yans-username-sql-injection(30119)

Last major update

20-07-2017 - 01:34

Published

15-11-2006 - 15:07

Last modified

20-07-2017 - 01:34