CVE-2007-0693 - SQL injection vulnerability in news.php in DGNews 2.1 allows remote attackers to execute arbitrary S

CVE-2007-0693

Summary

SQL injection vulnerability in news.php in DGNews 2.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a newslist action. NOTE: this issue can produce resultant cross-site scripting (XSS).

References

Vulnerable Configurations

cpe:2.3:a:dian_gemilang:dgnews:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:dian_gemilang:dgnews:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:dian_gemilang:dgnews:2.1:*:*:*:*:*:*:*
cpe:2.3:a:dian_gemilang:dgnews:2.1:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 16-10-2018 - 16:33)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	24201
bugtraq	20070528 DGNews version 2.1 SQL Injection Vulnerability
misc	http://www.netvigilance.com/advisory0022
osvdb	34227
secunia	25438
sreason	2740
vupen	ADV-2007-1981
xf	dgnews-news-sql-injection(34539)

Last major update

16-10-2018 - 16:33

Published

30-05-2007 - 20:30

Last modified

16-10-2018 - 16:33